asyncrat | 0c4b7a3670f4ef5f7ba2d7e820cb3df837a72c08a4d039768b50617c06983308

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 63 IoCs

pid	Process
4604	cmd.exe
2756	svchost.exe
2164	svchost.exe
1956	cmd.exe
1980	OfficeClickToRun.exe
780	svchost.exe
3332	svchost.exe
1360	svchost.exe
3912	RuntimeBroker.exe
2936	taskhostw.exe
952	svchost.exe
1732	svchost.exe
1924	svchost.exe
3696	svchost.exe
5072	svchost.exe
1524	svchost.exe
1916	svchost.exe
536	svchost.exe
4328	TextInputHost.exe
1320	svchost.exe
1516	svchost.exe
2104	svchost.exe
3320	SppExtComObj.exe
2296	svchost.exe
4544	svchost.exe
1500	svchost.exe
316	dwm.exe
900	svchost.exe
1096	svchost.exe
2668	svchost.exe
3848	StartMenuExperienceHost.exe
1088	svchost.exe
2268	svchost.exe
2660	svchost.exe
3444	Explorer.EXE
1272	svchost.exe
1468	svchost.exe
4420	svchost.exe
1688	svchost.exe
668	lsass.exe
1244	svchost.exe
1052	svchost.exe
1640	svchost.exe
604	svchost.exe
1832	spoolsv.exe
3012	svchost.exe
3600	RuntimeBroker.exe
2808	svchost.exe
3988	svchost.exe
2608	sihost.exe
2804	svchost.exe
2408	svchost.exe
1816	svchost.exe
2400	svchost.exe
2004	svchost.exe
1804	svchost.exe
1008	svchost.exe
1992	RuntimeBroker.exe
612	winlogon.exe
2776	sysmon.exe
3552	svchost.exe
2960	unsecapp.exe
1972	svchost.exe

Loads dropped DLL 9 IoCs

pid	Process
1172	svchost.exe
1148	Conhost.exe
2132	wmiprvse.exe
4940	svchost.exe
5112	TrustedInstaller.exe
4276	svchost.exe
3488	mousocoreworker.exe
1156	backgroundTaskHost.exe
3964	TiWorker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Admin\\AppData\\Roaming\\cmd.exe\""	cmd.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\ASChelp.dll	cmd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\ASChelp.dll	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3620	0oj3.exe
3620	0oj3.exe
2116	cmd.exe
2116	cmd.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\cmd.exe	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\cmd.exe	cmd.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3476	sc.exe
3108	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "00184011FF156529"	mousocoreworker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager	mousocoreworker.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00184011FF156529"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 29 Dec 2024 21:16:02 GMT"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={8EDDE341-6043-44F9-8E11-D9E3F6A00C16}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	mousocoreworker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1735506960"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8c5ae66c44e0548aebe78fbbf17ad2100000000020000000000106600000001000020000000e161919cc190d9fcca39ea643df7bdf4cb71df4fcc58992707a71fb42d7877f9000000000e80000000020000200000001183767fd2b6cb35856c9084fdb99989ea246151c489d27a623af6c067c999edb003000051f70c8c0e7959793ba019ead70ca0c99d604d275034babdefd81044532f61648c2525bdf6d43fd2ac54bd381ce0ed6dc99ab5058a03dabfd227d36110e9b47e811896cc20fbfd1e46a373796693755e3960b44177280c6c67c976eeee3d36351bb500149b07f330dc5c29ba5734894f38ff61667686e2b9ead2f0d49ba6fd42d8ca6dbebb003c740f19a3ec5e9dfba2598b5f867815684e53bc0968e2db7a929416113b1d8ce993eef452bfa10b7e8fe0e96b1e1d9f0a5fa0b724572326f32dd8c420d2f71b374693c4b634da471624d15a9f8aeb104518c064dc31c9cad046adc500aad831bd076c15c178ba22badc28e5c2a271b79cd0cc923d724798998798ee0044e7b194aee3d79532b78c52a7ed5d1e3df2ecda5271b201ab78a2bf4d573c0f43f7e7ef3646392a69dcbb61e01f36938992be85768ecc4514e4db6c8213c18bfc3f7c0d8e8717397881026fc95432c09f857c069d9494925de553a6ad389001edf22982e6f1f478889ec9d7b9bc9ac434460b0b9e1867c58c739362a9e1906c9e546edf83407bc2490221793304ef9e4142113a7cbb46d63482ddda3234b289a715296e33c2195ae586df99aac0abd44471cdf4f32484ca39ae7fbbfa38319d200efe2839f91c1a7c036016a75f60a72d897dffa334a0913e6029bda744430c4616e58b0e78d67c2645cbe3be1230a73fa99a2459a05ca1b05b366d40dd5124fd204b43d416dc638e00a6f206876ee113184fcd7be2ac8f8b52f60e1d09743734beb43ec4945e23516f0f5ae4414a82d65db76f1796058b463d9ee79ea6ba3a5d07438c8713daa9c4949eab06ddfce6b88b30e1dd138856cb78ed3870f09fe9085c5fd6a52972319ce9ed240bf5fcdf5108b9e33abd5290b373661bf9522a49430b4077f34d91cd48645f772452241c78ae3cbe2aca009af429fdc01044497166baf4887e0426b312123364966f5fc6e8109507bc3310129279d88c7e98575987f2bf5b25460eb27c70e8db8472a16f5a5ae6127b1cceb52394089630eea69a633bf83ff74e833c85afcd326f137cb426014eb6e3316a019b86183292467dcf649b9b3c64558414b1d0645d63e5a4aa350b8b9aaebb5926bda50e2dc9018f7cb60846731bb308da09bdaf089f49fe38629241550b7b926420199fedc47299e2e05648301bdc3e0e1994ce3ff6c7b4812726106b32ce2444496780d4d4aa44e1de3183ed80d3b94685d05f1490c5a6991522c4ff8905a003b8e859099f7970114f7db8d61d5aede500275a3b9415254baec97584af8cec2a7483a95bdc5681eee07e328bacdf88d59677298b4840000000b26d630eeac52ed9204dd1feb07c0c1147dd0fd2f5fd05340b4256fe286f002dacbad81e539a6ec5f44cbc3a262eb2f0fb0fdcbfd6c9df70177944e095d0488c	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\00184011FF156529 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8c5ae66c44e0548aebe78fbbf17ad2100000000020000000000106600000001000020000000a3c992bc02f32a562f3c8cc484f01bd996e3a4ebc93c29dedee90a7b04c49f33000000000e80000000020000200000006d09dc1e653ae76d9982628842ed1dd81ab22a2018c5cc07e894b4cf32ca1f3c8000000035e3748245506581409b7232b4f829436cbc85be60d89a593bfcb87e3f3948eda14567a48e81715f1dddabbd60437156f4ed4b20a786192879001dba5e9d650d7703e46a197050217edab67a5b1ff14df70e6e84dfdbec967419c803c98c8db2e382d4c76351e0c5159d6b813f154e63e8989ef116ac73e92e39b9e13c38b11040000000ac04b6c0290f459eb3233e7e5f48dcb81f5ce0c0767f79e4070fca89635e8c5f852f358aea3033046bc2046cd1e214534ae936b702c059977ea68444579594dd	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	mousocoreworker.exe

Modifies registry class 13 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133799804904710764"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133799804908461006"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133799804934710915"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133799804938929580"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133799804940648712"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133799804993617062"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133799804994867139"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133799804936117026"	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1824	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3620	0oj3.exe
3620	0oj3.exe
2116	cmd.exe
2116	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe
4604	cmd.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
3620	0oj3.exe
2116	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4604	cmd.exe
Token: SeDebugPrivilege	4604	cmd.exe
Token: SeAuditPrivilege	2756	svchost.exe
Token: SeAuditPrivilege	2756	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2296	svchost.exe
Token: SeIncreaseQuotaPrivilege	2296	svchost.exe
Token: SeSecurityPrivilege	2296	svchost.exe
Token: SeTakeOwnershipPrivilege	2296	svchost.exe
Token: SeLoadDriverPrivilege	2296	svchost.exe
Token: SeSystemtimePrivilege	2296	svchost.exe
Token: SeBackupPrivilege	2296	svchost.exe
Token: SeRestorePrivilege	2296	svchost.exe
Token: SeShutdownPrivilege	2296	svchost.exe
Token: SeSystemEnvironmentPrivilege	2296	svchost.exe
Token: SeUndockPrivilege	2296	svchost.exe
Token: SeManageVolumePrivilege	2296	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2296	svchost.exe
Token: SeIncreaseQuotaPrivilege	2296	svchost.exe
Token: SeSecurityPrivilege	2296	svchost.exe
Token: SeTakeOwnershipPrivilege	2296	svchost.exe
Token: SeLoadDriverPrivilege	2296	svchost.exe
Token: SeSystemtimePrivilege	2296	svchost.exe
Token: SeBackupPrivilege	2296	svchost.exe
Token: SeRestorePrivilege	2296	svchost.exe
Token: SeShutdownPrivilege	2296	svchost.exe
Token: SeSystemEnvironmentPrivilege	2296	svchost.exe
Token: SeUndockPrivilege	2296	svchost.exe
Token: SeManageVolumePrivilege	2296	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2296	svchost.exe
Token: SeIncreaseQuotaPrivilege	2296	svchost.exe
Token: SeSecurityPrivilege	2296	svchost.exe
Token: SeTakeOwnershipPrivilege	2296	svchost.exe
Token: SeLoadDriverPrivilege	2296	svchost.exe
Token: SeSystemtimePrivilege	2296	svchost.exe
Token: SeBackupPrivilege	2296	svchost.exe
Token: SeRestorePrivilege	2296	svchost.exe
Token: SeShutdownPrivilege	2296	svchost.exe
Token: SeSystemEnvironmentPrivilege	2296	svchost.exe
Token: SeUndockPrivilege	2296	svchost.exe
Token: SeManageVolumePrivilege	2296	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2296	svchost.exe
Token: SeIncreaseQuotaPrivilege	2296	svchost.exe
Token: SeSecurityPrivilege	2296	svchost.exe
Token: SeTakeOwnershipPrivilege	2296	svchost.exe
Token: SeLoadDriverPrivilege	2296	svchost.exe
Token: SeSystemtimePrivilege	2296	svchost.exe
Token: SeBackupPrivilege	2296	svchost.exe
Token: SeRestorePrivilege	2296	svchost.exe
Token: SeShutdownPrivilege	2296	svchost.exe
Token: SeSystemEnvironmentPrivilege	2296	svchost.exe
Token: SeUndockPrivilege	2296	svchost.exe
Token: SeManageVolumePrivilege	2296	svchost.exe
Token: SeAuditPrivilege	2756	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2296	svchost.exe
Token: SeIncreaseQuotaPrivilege	2296	svchost.exe
Token: SeSecurityPrivilege	2296	svchost.exe
Token: SeTakeOwnershipPrivilege	2296	svchost.exe
Token: SeLoadDriverPrivilege	2296	svchost.exe
Token: SeSystemtimePrivilege	2296	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 2116	3620	0oj3.exe	84
PID 3620 wrote to memory of 2116	3620	0oj3.exe	84
PID 2116 wrote to memory of 4604	2116	cmd.exe	85
PID 2116 wrote to memory of 4604	2116	cmd.exe	85
PID 4604 wrote to memory of 3596	4604	cmd.exe	90
PID 4604 wrote to memory of 3596	4604	cmd.exe	90
PID 3596 wrote to memory of 1824	3596	cmd.exe	92
PID 3596 wrote to memory of 1824	3596	cmd.exe	92
PID 4604 wrote to memory of 3476	4604	cmd.exe	95
PID 4604 wrote to memory of 3476	4604	cmd.exe	95
PID 4604 wrote to memory of 3108	4604	cmd.exe	97
PID 4604 wrote to memory of 3108	4604	cmd.exe	97
PID 4604 wrote to memory of 2756	4604	cmd.exe	47
PID 4604 wrote to memory of 2164	4604	cmd.exe	39
PID 4604 wrote to memory of 1980	4604	cmd.exe	72
PID 4604 wrote to memory of 780	4604	cmd.exe	8
PID 4604 wrote to memory of 1172	4604	cmd.exe	19
PID 4604 wrote to memory of 3332	4604	cmd.exe	55
PID 4604 wrote to memory of 1360	4604	cmd.exe	23
PID 4604 wrote to memory of 3912	4604	cmd.exe	60
PID 4604 wrote to memory of 388	4604	cmd.exe	86
PID 4604 wrote to memory of 2936	4604	cmd.exe	51
PID 4604 wrote to memory of 952	4604	cmd.exe	12
PID 4604 wrote to memory of 1148	4604	cmd.exe	87
PID 4604 wrote to memory of 2132	4604	cmd.exe	88
PID 4604 wrote to memory of 1732	4604	cmd.exe	30
PID 4604 wrote to memory of 1924	4604	cmd.exe	34
PID 4604 wrote to memory of 3696	4604	cmd.exe	74
PID 4604 wrote to memory of 5072	4604	cmd.exe	66
PID 4604 wrote to memory of 1524	4604	cmd.exe	27
PID 4604 wrote to memory of 1916	4604	cmd.exe	33
PID 4604 wrote to memory of 536	4604	cmd.exe	68
PID 4604 wrote to memory of 4328	4604	cmd.exe	75
PID 4604 wrote to memory of 928	4604	cmd.exe	73
PID 4604 wrote to memory of 1320	4604	cmd.exe	22
PID 4604 wrote to memory of 1516	4604	cmd.exe	26
PID 4604 wrote to memory of 2104	4604	cmd.exe	38
PID 4604 wrote to memory of 3320	4604	cmd.exe	70
PID 4604 wrote to memory of 2296	4604	cmd.exe	41
PID 4604 wrote to memory of 4544	4604	cmd.exe	69
PID 4604 wrote to memory of 1500	4604	cmd.exe	25
PID 4604 wrote to memory of 316	4604	cmd.exe	13
PID 4604 wrote to memory of 900	4604	cmd.exe	11
PID 4604 wrote to memory of 1096	4604	cmd.exe	18
PID 4604 wrote to memory of 2668	4604	cmd.exe	46
PID 4604 wrote to memory of 3848	4604	cmd.exe	59
PID 4604 wrote to memory of 1088	4604	cmd.exe	17
PID 4604 wrote to memory of 2268	4604	cmd.exe	40
PID 4604 wrote to memory of 2660	4604	cmd.exe	45
PID 4604 wrote to memory of 3444	4604	cmd.exe	56
PID 4604 wrote to memory of 1272	4604	cmd.exe	21
PID 4604 wrote to memory of 1468	4604	cmd.exe	24
PID 4604 wrote to memory of 4420	4604	cmd.exe	65
PID 4604 wrote to memory of 1688	4604	cmd.exe	29
PID 4604 wrote to memory of 668	4604	cmd.exe	7
PID 4604 wrote to memory of 1244	4604	cmd.exe	20
PID 4604 wrote to memory of 1052	4604	cmd.exe	16
PID 4604 wrote to memory of 1640	4604	cmd.exe	28
PID 4604 wrote to memory of 604	4604	cmd.exe	14
PID 4604 wrote to memory of 4000	4604	cmd.exe	61
PID 4604 wrote to memory of 1832	4604	cmd.exe	37
PID 4604 wrote to memory of 3012	4604	cmd.exe	52
PID 4604 wrote to memory of 3600	4604	cmd.exe	62
PID 4604 wrote to memory of 2808	4604	cmd.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Executes dropped EXE
PID:612
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:796
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Executes dropped EXE
  PID:316

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Executes dropped EXE
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:780
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3756
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4000
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:928
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:2132
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1720
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4340
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  PID:3488
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:224
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  - Loads dropped DLL
  PID:1156
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  - Loads dropped DLL
  PID:3964

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
- Executes dropped EXE
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
- Executes dropped EXE
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
- Executes dropped EXE
PID:604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
- Executes dropped EXE
PID:1008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
- Executes dropped EXE
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
- Executes dropped EXE
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1172
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  - Executes dropped EXE
  PID:2936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Executes dropped EXE
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
- Executes dropped EXE
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
- Executes dropped EXE
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
- Executes dropped EXE
PID:1360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
- Executes dropped EXE
PID:1468
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Executes dropped EXE
  PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
- Executes dropped EXE
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
- Executes dropped EXE
PID:1640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
- Executes dropped EXE
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
- Executes dropped EXE
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Executes dropped EXE
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
- Executes dropped EXE
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
- Executes dropped EXE
PID:1916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
- Executes dropped EXE
PID:2004

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Executes dropped EXE
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
- Executes dropped EXE
PID:2104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Executes dropped EXE
PID:2164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
- Executes dropped EXE
PID:2268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
- Executes dropped EXE
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
- Executes dropped EXE
PID:2776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
- Executes dropped EXE
PID:2808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
- Executes dropped EXE
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
- Executes dropped EXE
PID:3012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
- Executes dropped EXE
PID:3332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:3444
- C:\Users\Admin\AppData\Local\Temp\0oj3.exe
  "C:\Users\Admin\AppData\Local\Temp\0oj3.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    cmd.exe
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4604
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "cmd" /tr '"C:\ProgramData\cmd.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3596
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "cmd" /tr '"C:\ProgramData\cmd.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1824
    - - C:\Windows\System32\sc.exe
        
        "C:\Windows\System32\sc.exe" create AutoRunService binPath="C:\Program Files\cmd.exe" type=own start=auto
        5⤵
        Launches sc.exe
        
        PID:3476
    - - C:\Windows\System32\sc.exe
        
        "C:\Windows\System32\sc.exe" start AutoRunService
        5⤵
        Launches sc.exe
        
        PID:3108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Executes dropped EXE
PID:3552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
- Executes dropped EXE
PID:536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Executes dropped EXE
PID:3988

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
- Executes dropped EXE
PID:3696

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe e925220f565adef4a5fedd1261527601 ZtO0/6pQd0WPvrioZKqEYQ.0.1.0.0.0
1⤵
- Sets service image path in registry
PID:388
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Loads dropped DLL
  PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Loads dropped DLL
PID:4940

C:\Program Files\cmd.exe
"C:\Program Files\cmd.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1956

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Loads dropped DLL
PID:5112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Loads dropped DLL
PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery