asyncrat | 0c4b7a3670f4ef5f7ba2d7e820cb3df837a72c08a4d039768b50617c06983308

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 62 IoCs

pid	Process
996	0oj3.exe
4472	cmd.exe
528	cmd.exe
1376	svchost.exe
1572	svchost.exe
388	svchost.exe
5112	cmd.exe
780	svchost.exe
4128	RuntimeBroker.exe
968	svchost.exe
1952	svchost.exe
1552	svchost.exe
2732	svchost.exe
2140	svchost.exe
956	svchost.exe
1148	svchost.exe
3312	svchost.exe
1932	svchost.exe
3900	StartMenuExperienceHost.exe
1140	svchost.exe
1900	svchost.exe
336	dwm.exe
1704	svchost.exe
1892	svchost.exe
2972	taskhostw.exe
2080	svchost.exe
896	svchost.exe
4244	OfficeClickToRun.exe
1288	svchost.exe
1668	svchost.exe
3056	unsecapp.exe
2464	svchost.exe
2656	sihost.exe
1272	svchost.exe
1468	svchost.exe
868	svchost.exe
1736	svchost.exe
1844	spoolsv.exe
660	lsass.exe
1052	svchost.exe
3612	svchost.exe
3156	TextInputHost.exe
1048	svchost.exe
2812	svchost.exe
444	SppExtComObj.exe
1820	svchost.exe
2268	svchost.exe
1812	svchost.exe
1236	svchost.exe
3540	svchost.exe
2780	sysmon.exe
612	winlogon.exe
2752	svchost.exe
2184	svchost.exe
2456	svchost.exe
1976	svchost.exe
1384	svchost.exe
2760	svchost.exe
2168	svchost.exe
3732	gmhx.exe
4828	cmd.exe
4060	SearchApp.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Loads dropped DLL 40 IoCs

pid	Process
996	0oj3.exe
996	0oj3.exe
996	0oj3.exe
996	0oj3.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
5052	svchost.exe
4524	svchost.exe
2744	svchost.exe
3912	svchost.exe
1652	TrustedInstaller.exe
4492	TiWorker.exe
872	mousocoreworker.exe
1132	svchost.exe
3884	7zFM.exe
3880	RuntimeBroker.exe
3476	Explorer.EXE
1500	svchost.exe
4788	wmiprvse.exe
4328	svchost.exe
3976	RuntimeBroker.exe
3732	gmhx.exe
3732	gmhx.exe
3732	gmhx.exe
3732	gmhx.exe
3052	Conhost.exe
3732	gmhx.exe
4828	cmd.exe
4828	cmd.exe
4828	cmd.exe
4828	cmd.exe
1620	DllHost.exe
2284	svchost.exe
1008	WerFault.exe
2592	backgroundTaskHost.exe
1984	DllHost.exe
4540	backgroundTaskHost.exe
3712	NOTEPAD.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Admin\\AppData\\Roaming\\cmd.exe\""	cmd.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\ASChelp.dll	cmd.exe
File created	C:\Windows\system32\ASChelp.dll	cmd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
996	0oj3.exe
996	0oj3.exe
4472	cmd.exe
4472	cmd.exe
3732	gmhx.exe
3732	gmhx.exe
4828	cmd.exe
4828	cmd.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\cmd.exe	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\cmd.exe	cmd.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2820	sc.exe
1444	sc.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x0007000000023c8b-20.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133799800045932039"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133799800218275593"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133799800219838559"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PCT = "133799799617059423"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133799800043275524"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133799800071244388"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133799800073744870"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PTT = "133799800413744163"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3712	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
996	0oj3.exe
996	0oj3.exe
4472	cmd.exe
4472	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe
528	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3884	7zFM.exe
3476	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3884	7zFM.exe
Token: 35	3884	7zFM.exe
Token: SeSecurityPrivilege	3884	7zFM.exe
Token: SeDebugPrivilege	528	cmd.exe
Token: SeDebugPrivilege	528	cmd.exe
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2184	svchost.exe
Token: SeIncreaseQuotaPrivilege	2184	svchost.exe
Token: SeSecurityPrivilege	2184	svchost.exe
Token: SeTakeOwnershipPrivilege	2184	svchost.exe
Token: SeLoadDriverPrivilege	2184	svchost.exe
Token: SeSystemtimePrivilege	2184	svchost.exe
Token: SeBackupPrivilege	2184	svchost.exe
Token: SeRestorePrivilege	2184	svchost.exe
Token: SeShutdownPrivilege	2184	svchost.exe
Token: SeSystemEnvironmentPrivilege	2184	svchost.exe
Token: SeUndockPrivilege	2184	svchost.exe
Token: SeManageVolumePrivilege	2184	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2184	svchost.exe
Token: SeIncreaseQuotaPrivilege	2184	svchost.exe
Token: SeSecurityPrivilege	2184	svchost.exe
Token: SeTakeOwnershipPrivilege	2184	svchost.exe
Token: SeLoadDriverPrivilege	2184	svchost.exe
Token: SeSystemtimePrivilege	2184	svchost.exe
Token: SeBackupPrivilege	2184	svchost.exe
Token: SeRestorePrivilege	2184	svchost.exe
Token: SeShutdownPrivilege	2184	svchost.exe
Token: SeSystemEnvironmentPrivilege	2184	svchost.exe
Token: SeUndockPrivilege	2184	svchost.exe
Token: SeManageVolumePrivilege	2184	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2184	svchost.exe
Token: SeIncreaseQuotaPrivilege	2184	svchost.exe
Token: SeSecurityPrivilege	2184	svchost.exe
Token: SeTakeOwnershipPrivilege	2184	svchost.exe
Token: SeLoadDriverPrivilege	2184	svchost.exe
Token: SeSystemtimePrivilege	2184	svchost.exe
Token: SeBackupPrivilege	2184	svchost.exe
Token: SeRestorePrivilege	2184	svchost.exe
Token: SeShutdownPrivilege	2184	svchost.exe
Token: SeSystemEnvironmentPrivilege	2184	svchost.exe
Token: SeUndockPrivilege	2184	svchost.exe
Token: SeManageVolumePrivilege	2184	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2184	svchost.exe
Token: SeIncreaseQuotaPrivilege	2184	svchost.exe
Token: SeSecurityPrivilege	2184	svchost.exe
Token: SeTakeOwnershipPrivilege	2184	svchost.exe
Token: SeLoadDriverPrivilege	2184	svchost.exe
Token: SeSystemtimePrivilege	2184	svchost.exe
Token: SeBackupPrivilege	2184	svchost.exe
Token: SeRestorePrivilege	2184	svchost.exe
Token: SeShutdownPrivilege	2184	svchost.exe
Token: SeSystemEnvironmentPrivilege	2184	svchost.exe
Token: SeUndockPrivilege	2184	svchost.exe
Token: SeManageVolumePrivilege	2184	svchost.exe
Token: SeAuditPrivilege	2812	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2184	svchost.exe
Token: SeIncreaseQuotaPrivilege	2184	svchost.exe
Token: SeSecurityPrivilege	2184	svchost.exe
Token: SeTakeOwnershipPrivilege	2184	svchost.exe
Token: SeLoadDriverPrivilege	2184	svchost.exe
Token: SeSystemtimePrivilege	2184	svchost.exe
Token: SeBackupPrivilege	2184	svchost.exe
Token: SeRestorePrivilege	2184	svchost.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3884	7zFM.exe
3884	7zFM.exe
3884	7zFM.exe
3052	Conhost.exe
3476	Explorer.EXE
3476	Explorer.EXE

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
996	0oj3.exe
4472	cmd.exe
3732	gmhx.exe
4828	cmd.exe
3476	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 4472	996	0oj3.exe	94
PID 996 wrote to memory of 4472	996	0oj3.exe	94
PID 4472 wrote to memory of 528	4472	cmd.exe	102
PID 4472 wrote to memory of 528	4472	cmd.exe	102
PID 528 wrote to memory of 2284	528	cmd.exe	105
PID 528 wrote to memory of 2284	528	cmd.exe	105
PID 2284 wrote to memory of 3656	2284	cmd.exe	107
PID 2284 wrote to memory of 3656	2284	cmd.exe	107
PID 528 wrote to memory of 2820	528	cmd.exe	109
PID 528 wrote to memory of 2820	528	cmd.exe	109
PID 528 wrote to memory of 1444	528	cmd.exe	111
PID 528 wrote to memory of 1444	528	cmd.exe	111
PID 528 wrote to memory of 1376	528	cmd.exe	23
PID 528 wrote to memory of 1572	528	cmd.exe	27
PID 528 wrote to memory of 5052	528	cmd.exe	91
PID 528 wrote to memory of 388	528	cmd.exe	14
PID 528 wrote to memory of 4524	528	cmd.exe	69
PID 528 wrote to memory of 780	528	cmd.exe	8
PID 528 wrote to memory of 4128	528	cmd.exe	76
PID 528 wrote to memory of 2744	528	cmd.exe	46
PID 528 wrote to memory of 968	528	cmd.exe	68
PID 528 wrote to memory of 1952	528	cmd.exe	71
PID 528 wrote to memory of 1552	528	cmd.exe	26
PID 528 wrote to memory of 2732	528	cmd.exe	45
PID 528 wrote to memory of 2140	528	cmd.exe	39
PID 528 wrote to memory of 3912	528	cmd.exe	98
PID 528 wrote to memory of 956	528	cmd.exe	12
PID 528 wrote to memory of 1652	528	cmd.exe	95
PID 528 wrote to memory of 1148	528	cmd.exe	19
PID 528 wrote to memory of 3312	528	cmd.exe	54
PID 528 wrote to memory of 1932	528	cmd.exe	35
PID 528 wrote to memory of 4492	528	cmd.exe	108
PID 528 wrote to memory of 3900	528	cmd.exe	59
PID 528 wrote to memory of 1140	528	cmd.exe	18
PID 528 wrote to memory of 872	528	cmd.exe	100
PID 528 wrote to memory of 1132	528	cmd.exe	17
PID 528 wrote to memory of 1900	528	cmd.exe	34
PID 528 wrote to memory of 3884	528	cmd.exe	82
PID 528 wrote to memory of 336	528	cmd.exe	13
PID 528 wrote to memory of 3880	528	cmd.exe	62
PID 528 wrote to memory of 3088	528	cmd.exe	73
PID 528 wrote to memory of 1704	528	cmd.exe	29
PID 528 wrote to memory of 3476	528	cmd.exe	56
PID 528 wrote to memory of 1500	528	cmd.exe	86
PID 528 wrote to memory of 4060	528	cmd.exe	61
PID 528 wrote to memory of 1892	528	cmd.exe	33
PID 528 wrote to memory of 2972	528	cmd.exe	51
PID 528 wrote to memory of 2080	528	cmd.exe	38
PID 528 wrote to memory of 896	528	cmd.exe	11
PID 528 wrote to memory of 4244	528	cmd.exe	72
PID 528 wrote to memory of 1288	528	cmd.exe	22
PID 528 wrote to memory of 1668	528	cmd.exe	28
PID 528 wrote to memory of 3056	528	cmd.exe	52
PID 528 wrote to memory of 2464	528	cmd.exe	43
PID 528 wrote to memory of 2656	528	cmd.exe	44
PID 528 wrote to memory of 1272	528	cmd.exe	21
PID 528 wrote to memory of 1468	528	cmd.exe	25
PID 528 wrote to memory of 868	528	cmd.exe	15
PID 528 wrote to memory of 1736	528	cmd.exe	30
PID 528 wrote to memory of 1844	528	cmd.exe	37
PID 528 wrote to memory of 660	528	cmd.exe	7
PID 528 wrote to memory of 1052	528	cmd.exe	16
PID 528 wrote to memory of 3612	528	cmd.exe	57
PID 528 wrote to memory of 3156	528	cmd.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Executes dropped EXE
PID:612
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:796
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Executes dropped EXE
  PID:336

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Executes dropped EXE
PID:660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Executes dropped EXE
- Modifies registry class
PID:780
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3784
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Loads dropped DLL
  PID:3976
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Loads dropped DLL
  PID:3880
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:444
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3088
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
  2⤵
  PID:2576
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:4788
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  - Loads dropped DLL
  PID:872
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  - Loads dropped DLL
  PID:4492
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  - Loads dropped DLL
  PID:1620
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1248
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  - Loads dropped DLL
  PID:2592
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  - Loads dropped DLL
  PID:1984
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  - Loads dropped DLL
  PID:4540

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
- Executes dropped EXE
PID:896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
- Executes dropped EXE
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
- Executes dropped EXE
PID:388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
- Executes dropped EXE
PID:868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Loads dropped DLL
PID:1132
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  - Executes dropped EXE
  PID:2972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
PID:1140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
- Executes dropped EXE
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
- Executes dropped EXE
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
- Executes dropped EXE
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
- Executes dropped EXE
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
- Executes dropped EXE
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
- Executes dropped EXE
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
- Executes dropped EXE
PID:1468
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
- Executes dropped EXE
PID:1552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
- Executes dropped EXE
PID:1572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
- Executes dropped EXE
PID:1668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
- Executes dropped EXE
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Executes dropped EXE
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
- Executes dropped EXE
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Executes dropped EXE
PID:1900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
- Executes dropped EXE
PID:1932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
- Executes dropped EXE
PID:1976

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Executes dropped EXE
PID:1844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Executes dropped EXE
PID:2140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
- Executes dropped EXE
PID:2268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
- Executes dropped EXE
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
- Executes dropped EXE
PID:2752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
- Executes dropped EXE
PID:2760

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
- Executes dropped EXE
PID:3312

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3476
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\sasasa.rar"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3884
- C:\Users\Admin\Desktop\0oj3.exe
  "C:\Users\Admin\Desktop\0oj3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Users\Admin\Desktop\cmd.exe
    cmd.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:528
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "cmd" /tr '"C:\ProgramData\cmd.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "cmd" /tr '"C:\ProgramData\cmd.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3656
    - - C:\Windows\System32\sc.exe
        
        "C:\Windows\System32\sc.exe" create AutoRunService binPath="C:\Program Files\cmd.exe" type=own start=auto
        5⤵
        Launches sc.exe
        
        PID:2820
    - - C:\Windows\System32\sc.exe
        
        "C:\Windows\System32\sc.exe" start AutoRunService
        5⤵
        Launches sc.exe
        
        PID:1444
- C:\Users\Admin\Desktop\gmhx.exe
  "C:\Users\Admin\Desktop\gmhx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:3732
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:3052
- - C:\Users\Admin\Desktop\cmd.exe
    cmd.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:4828
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4828 -s 1148
      4⤵
      Loads dropped DLL
      PID:1008
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Config.ini
  2⤵
  - Loads dropped DLL
  - Opens file in notepad (likely ransom note)
  PID:3712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Loads dropped DLL
PID:4328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
- Executes dropped EXE
PID:968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Executes dropped EXE
PID:1952

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Executes dropped EXE
PID:4244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
- Executes dropped EXE
PID:3540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
- Loads dropped DLL
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Loads dropped DLL
PID:5052

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Loads dropped DLL
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Loads dropped DLL
PID:3912

C:\Program Files\cmd.exe
"C:\Program Files\cmd.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Loads dropped DLL
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

System Information Discovery