xworm | 3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	XWorm RAT V2.1.exe

Executes dropped EXE 1 IoCs

pid	Process
4904	zo5vr202.etf.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\Preferred	lsass.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\204a0d8a-27d4-4a25-b657-efb0e4319ae6	lsass.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	lsass.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 30 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02dpqvsofpiqxcbx\DeviceId = "<Data LastUpdatedTime=\"1737300193\"><User username=\"02DPQVSOFPIQXCBX\"><HardwareInfo BoundTime=\"1737300193\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\02mqqqrpyocqeloe\DeviceId = "<Data><User username=\"02MQQQRPYOCQELOE\"><HardwareInfo BoundTime=\"1737300194\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\ValidDeviceId = "02mqqqrpyocqeloe"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\P3P = "CP=\"CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOCi CNT\""	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\Flags = "8256"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\02mqqqrpyocqeloe\DeviceId = "<Data DAInvalidationTime=\"1737300196\"><User username=\"02MQQQRPYOCQELOE\"><HardwareInfo BoundTime=\"1737300196\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02dpqvsofpiqxcbx	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={028D3B53-8845-416C-B6A3-C334118DC385}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\ValidDeviceId	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02dpqvsofpiqxcbx	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId = "02dpqvsofpiqxcbx"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\URL = "https://login.live.com"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000008a0d4a20d427254ab657efb0e4319ae600000000020000000000106600000001000020000000ef33d4791661921660f5c0a0bc9f0f01ca436f3b04734a8563ef942410db5cd6000000000e800000000200002000000026c1f7c97dcf1081156b3fa999a87c7bddb21c8cc0e7bf35adc4d336ed9614e8b0030000e376636932f0fe97e0256e2fe0ded61ee9bd9447c36f42f844826aeced70d0bbdca58230dbf0904297e26de289b8db22000d677fd908a61c78bf3f02a2e539f445369e7a7046bbe55ef2f441d6325eaa1c08dddcdebfd2a588f4029c9f4c9fe307cb37d72bc17386329c41a4f2508205ec2a3346e3d1c3b158755a942ffb6760168e624ac16b58c651e04ebf04e4dbaf8b9a3546c24e649f204ce16b78cdd514f88b3cdb7d20708bef859e88bb43e4b49f453f292252dc6fa7c19dcb164d594ba8b15c92a4be80f861421e2357c9e0332eee4824de6b189f70d75c0d8c1621317bcc73de44fe85207566eac628893f326acfafa2b7af45dd7ef92fe37c90f219dfe262d9217e12eb9e55814fad5ed44ef3c9e2f6f2bb1de7c069d6d5b630e2e7fa1b6881df299ae10aea599470ba4847f03efbffcbc91cbf7892814cf34b24921705ed8dcc83b39c209a3a966a8c78c57e20c8ce069f005b84c88594419ee4a4f028d8a67b9ec8327f4c7ad1cfc9d0c008d1db5f5225345f32e4ab75a4eb104204852c89a94c8649f5949d07b77569b48e5876da76ddb0a09849373edd40356c1cbd226b0bc4403b8bfcc7c2bb7374924f8151e9dc4ac231ed499694769e3d7c5d9f78e9df4b2bea7b57b5d4628cc6a5613db6ab274cb5853b4d817c4480c0733c64da27f54d33c28058f1d887b5eb2693c9825250fbfe5e9d11beedf3ca5d526705704ad19b7239c81302f70d840d4a872bacc72e7251245b1086d27b6fb068aa96e5269a7d125b712d77e9638989f9737d0e073ac5a44d04a7019b5da3069474dd730574605826f1b8ea7ca3e216f25d200b15350c1a69a2b0b21be918df3c983ec9a427eac6718bc1b3d6cca2054836cbdb6cacbd600d3c2491c6906f110b487e5b3239eb32fda2180e51200e3243c7e46ba6ebdf211e372f64a191a2475d956511bf211c9752f1ee7ff081af7fdbd53ce900d63ef657d69540b9ed013c3b87a4fe91eddda58a2ee1011cb5696182991b64933e7ba57f9cdabfa6bec65068ace6ccabbc643ec3df3a7162035897ed52c0dbac243e369bd8dbec2c576261f1542f2dc188b40b9ff06f863f732c9f50292ddd36066a27fb0ecf31b5e8f495013e62116153ce3dbf80059ecd4719872b6cd38369960d387f74de24a5c6e8a33447b657ea3cce440d942a1e202ccd395ca69df121e82f6946026feefe7632ec59c98462ac310fdf7ba6100e240ecf34b396a24bf3cd4731192773dd2dc6018bfc62412e35be775e2bd68eb80442a6c2054f5f0c4b7861c3d067d2577819ec4bbd858f510f04d1025b8200222788bcc301400000009e9b03f35eafe5f58ce4d9de21f5c24ba173ccc8a3401c002ddb211dd7ee4e98ff8661baa8559a992f6a9d8628771667a1ea9516daf346a7583e16076a77e825	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02dpqvsofpiqxcbx\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 19 Jan 2025 15:24:41 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "00180012238B9A4B"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2432	SCHTASKS.exe
1184	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4020	WerFault.exe
4020	WerFault.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4736	svchost.exe
4736	svchost.exe
4736	svchost.exe
4736	svchost.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe
4904	zo5vr202.etf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4300	XWorm RAT V2.1.exe
Token: SeDebugPrivilege	4904	zo5vr202.etf.exe
Token: SeShutdownPrivilege	1644	MusNotification.exe
Token: SeCreatePagefilePrivilege	1644	MusNotification.exe
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeCreateGlobalPrivilege	1576	dwm.exe
Token: SeChangeNotifyPrivilege	1576	dwm.exe
Token: 33	1576	dwm.exe
Token: SeIncBasePriorityPrivilege	1576	dwm.exe
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	1620	svchost.exe
Token: SeCreatePagefilePrivilege	1620	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1800	svchost.exe
Token: SeIncreaseQuotaPrivilege	1800	svchost.exe
Token: SeSecurityPrivilege	1800	svchost.exe
Token: SeTakeOwnershipPrivilege	1800	svchost.exe
Token: SeLoadDriverPrivilege	1800	svchost.exe
Token: SeBackupPrivilege	1800	svchost.exe
Token: SeRestorePrivilege	1800	svchost.exe
Token: SeShutdownPrivilege	1800	svchost.exe
Token: SeSystemEnvironmentPrivilege	1800	svchost.exe
Token: SeManageVolumePrivilege	1800	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1800	svchost.exe
Token: SeIncreaseQuotaPrivilege	1800	svchost.exe
Token: SeSecurityPrivilege	1800	svchost.exe
Token: SeTakeOwnershipPrivilege	1800	svchost.exe
Token: SeLoadDriverPrivilege	1800	svchost.exe
Token: SeSystemtimePrivilege	1800	svchost.exe
Token: SeBackupPrivilege	1800	svchost.exe
Token: SeRestorePrivilege	1800	svchost.exe
Token: SeShutdownPrivilege	1800	svchost.exe
Token: SeSystemEnvironmentPrivilege	1800	svchost.exe
Token: SeUndockPrivilege	1800	svchost.exe
Token: SeManageVolumePrivilege	1800	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1800	svchost.exe
Token: SeIncreaseQuotaPrivilege	1800	svchost.exe
Token: SeSecurityPrivilege	1800	svchost.exe
Token: SeTakeOwnershipPrivilege	1800	svchost.exe
Token: SeLoadDriverPrivilege	1800	svchost.exe
Token: SeSystemtimePrivilege	1800	svchost.exe
Token: SeBackupPrivilege	1800	svchost.exe
Token: SeRestorePrivilege	1800	svchost.exe
Token: SeShutdownPrivilege	1800	svchost.exe
Token: SeSystemEnvironmentPrivilege	1800	svchost.exe
Token: SeUndockPrivilege	1800	svchost.exe
Token: SeManageVolumePrivilege	1800	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1800	svchost.exe
Token: SeIncreaseQuotaPrivilege	1800	svchost.exe
Token: SeSecurityPrivilege	1800	svchost.exe
Token: SeTakeOwnershipPrivilege	1800	svchost.exe
Token: SeLoadDriverPrivilege	1800	svchost.exe
Token: SeSystemtimePrivilege	1800	svchost.exe
Token: SeBackupPrivilege	1800	svchost.exe
Token: SeRestorePrivilege	1800	svchost.exe
Token: SeShutdownPrivilege	1800	svchost.exe
Token: SeSystemEnvironmentPrivilege	1800	svchost.exe
Token: SeUndockPrivilege	1800	svchost.exe
Token: SeManageVolumePrivilege	1800	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1800	svchost.exe
Token: SeIncreaseQuotaPrivilege	1800	svchost.exe

Suspicious use of FindShellTrayWindow 20 IoCs

pid	Process
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3516	Explorer.EXE
3516	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
928	Conhost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3708	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 4904	4300	XWorm RAT V2.1.exe	82
PID 4300 wrote to memory of 4904	4300	XWorm RAT V2.1.exe	82
PID 4300 wrote to memory of 2432	4300	XWorm RAT V2.1.exe	83
PID 4300 wrote to memory of 2432	4300	XWorm RAT V2.1.exe	83
PID 4904 wrote to memory of 608	4904	zo5vr202.etf.exe	5
PID 4904 wrote to memory of 672	4904	zo5vr202.etf.exe	7
PID 4904 wrote to memory of 960	4904	zo5vr202.etf.exe	12
PID 4904 wrote to memory of 60	4904	zo5vr202.etf.exe	13
PID 672 wrote to memory of 2920	672	lsass.exe	50
PID 4904 wrote to memory of 736	4904	zo5vr202.etf.exe	14
PID 4904 wrote to memory of 1004	4904	zo5vr202.etf.exe	15
PID 4904 wrote to memory of 1104	4904	zo5vr202.etf.exe	17
PID 4904 wrote to memory of 1116	4904	zo5vr202.etf.exe	18
PID 4904 wrote to memory of 1140	4904	zo5vr202.etf.exe	19
PID 4904 wrote to memory of 1200	4904	zo5vr202.etf.exe	20
PID 4904 wrote to memory of 1272	4904	zo5vr202.etf.exe	21
PID 4904 wrote to memory of 1280	4904	zo5vr202.etf.exe	22
PID 4904 wrote to memory of 1336	4904	zo5vr202.etf.exe	23
PID 4904 wrote to memory of 1448	4904	zo5vr202.etf.exe	24
PID 4904 wrote to memory of 1464	4904	zo5vr202.etf.exe	25
PID 4904 wrote to memory of 1596	4904	zo5vr202.etf.exe	26
PID 4904 wrote to memory of 1604	4904	zo5vr202.etf.exe	27
PID 4904 wrote to memory of 1636	4904	zo5vr202.etf.exe	28
PID 4904 wrote to memory of 1724	4904	zo5vr202.etf.exe	29
PID 672 wrote to memory of 2920	672	lsass.exe	50
PID 4904 wrote to memory of 1764	4904	zo5vr202.etf.exe	30
PID 4904 wrote to memory of 1772	4904	zo5vr202.etf.exe	31
PID 4904 wrote to memory of 1844	4904	zo5vr202.etf.exe	32
PID 4904 wrote to memory of 1976	4904	zo5vr202.etf.exe	33
PID 4904 wrote to memory of 2000	4904	zo5vr202.etf.exe	34
PID 4904 wrote to memory of 2008	4904	zo5vr202.etf.exe	35
PID 4904 wrote to memory of 1672	4904	zo5vr202.etf.exe	36
PID 4904 wrote to memory of 1800	4904	zo5vr202.etf.exe	37
PID 4904 wrote to memory of 2068	4904	zo5vr202.etf.exe	38
PID 4904 wrote to memory of 2216	4904	zo5vr202.etf.exe	40
PID 4904 wrote to memory of 2316	4904	zo5vr202.etf.exe	41
PID 4904 wrote to memory of 2500	4904	zo5vr202.etf.exe	42
PID 4904 wrote to memory of 2528	4904	zo5vr202.etf.exe	43
PID 4904 wrote to memory of 2656	4904	zo5vr202.etf.exe	44
PID 4904 wrote to memory of 2664	4904	zo5vr202.etf.exe	45
PID 4904 wrote to memory of 2672	4904	zo5vr202.etf.exe	46
PID 4904 wrote to memory of 2684	4904	zo5vr202.etf.exe	47
PID 4904 wrote to memory of 2852	4904	zo5vr202.etf.exe	48
PID 4904 wrote to memory of 2900	4904	zo5vr202.etf.exe	49
PID 4904 wrote to memory of 2920	4904	zo5vr202.etf.exe	50
PID 4904 wrote to memory of 2952	4904	zo5vr202.etf.exe	51
PID 4904 wrote to memory of 2968	4904	zo5vr202.etf.exe	52
PID 4904 wrote to memory of 3156	4904	zo5vr202.etf.exe	54
PID 4904 wrote to memory of 3264	4904	zo5vr202.etf.exe	55
PID 4904 wrote to memory of 3516	4904	zo5vr202.etf.exe	56
PID 4904 wrote to memory of 3640	4904	zo5vr202.etf.exe	57
PID 4904 wrote to memory of 3820	4904	zo5vr202.etf.exe	58
PID 4904 wrote to memory of 3984	4904	zo5vr202.etf.exe	60
PID 4904 wrote to memory of 3708	4904	zo5vr202.etf.exe	62
PID 4904 wrote to memory of 4952	4904	zo5vr202.etf.exe	65
PID 4904 wrote to memory of 3876	4904	zo5vr202.etf.exe	66
PID 4904 wrote to memory of 4080	4904	zo5vr202.etf.exe	68
PID 4904 wrote to memory of 2568	4904	zo5vr202.etf.exe	69
PID 4904 wrote to memory of 4340	4904	zo5vr202.etf.exe	70
PID 4904 wrote to memory of 1332	4904	zo5vr202.etf.exe	71
PID 4904 wrote to memory of 2292	4904	zo5vr202.etf.exe	72
PID 4904 wrote to memory of 456	4904	zo5vr202.etf.exe	73
PID 4904 wrote to memory of 4592	4904	zo5vr202.etf.exe	74
PID 4904 wrote to memory of 1680	4904	zo5vr202.etf.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:60
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 60 -s 3888
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4020
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1576

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1200
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2684
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1448
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2900

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2968

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3264

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3516
- C:\Users\Admin\AppData\Local\Temp\XWorm RAT V2.1.exe
  "C:\Users\Admin\AppData\Local\Temp\XWorm RAT V2.1.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Users\Admin\AppData\Local\Temp\zo5vr202.etf.exe
    "C:\Users\Admin\AppData\Local\Temp\zo5vr202.etf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4904
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "MasonXWorm RAT V2.1.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\XWorm RAT V2.1.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2432
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "MasonXWorm RAT V2.1.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\XWorm RAT V2.1.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1184
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2332
- - C:\Windows\SYSTEM32\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\XWorm RAT V2.1.exe" "XWorm RAT V2.1.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1408
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3640

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3820

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3984

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2568

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4340

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1332

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2292

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4592

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4736

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:4968

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 3237f405ca8836bb014e06aee68fd246 qybXCJmwSEu1ZKPOZ5lAPA.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:2704
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:1588

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Drops file in Windows directory
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1832

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:4612

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery