xworm | 3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5.exe

Executes dropped EXE 1 IoCs

pid	Process
3960	zrhdhlr0.qwm.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\c3f08b1c-83c6-4ed6-b1de-b9d378bafb51	lsass.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	lsass.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\Preferred	lsass.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02tuovexhqikgago\DeviceId = "<Data LastUpdatedTime=\"1737339430\"><User username=\"02TUOVEXHQIKGAGO\"/></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02tuovexhqikgago\DeviceId = "<Data LastUpdatedTime=\"1737339430\"><User username=\"02TUOVEXHQIKGAGO\"><HardwareInfo BoundTime=\"1737339430\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1737339520"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "00188011F581AE8D"	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={46D1E072-05E8-424B-81E4-41BBD7F0FDBC}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\00188011F581AE8D = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000001c8bf0c3c683d64eb1deb9d378bafb510000000002000000000010660000000100002000000063f4d1be1aa40ddbecaa4c152ae98cbecc45f1f39a1916ad9d5d4c6de06e794f000000000e8000000002000020000000fa5e5bd7ec8e9b6b8a8abf39b94e2a0dc2452e6f9939116ae3e488c51e52c83d80000000d25c9c468bf5ff8606e6da8d1636455fb93f85dd29eaf2ccf1692db6d086a055c2396264a090ea5f4f4691a6d9a44368df5667bfcfbae2f1f60235f3c26c47baaa21187dfb8f36599513cda90e778eaf85109b4b1959a0dd1b3c448de6c38b2c50788c039a06991712d03c65d50d5d02f3eb6f5d65688d2f9625896b2d302674400000006091a6bc54f216c930055dcb6d6733e0c7541f7bb0d06d0a1d893a26837637f745da517a6315ad5494a2c24d21aae44a21423c72ac854eb3736ca048bac6aaeb	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02tibclazvstpprj\Reason = "2147750679"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02tuovexhqikgago\Provision Monday, January 20, 2025 02:17:10 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAHIvww8aD1k6x3rnTeLr7UQAAAAACAAAAAAAQZgAAAAEAACAAAABQ8puSLemFtGqVtpoADwaL6Lgk0I0AcjEE8fNFwHFFLAAAAAAOgAAAAAIAACAAAABeOj1JrsVnq/P+uCND7Am1NZci2HxpCEKRcJZAnDRc5CAAAADmxHJqvKdMw3TjeLr+CCZOhbIukV0Syij10EqpLuWZZUAAAADyeK+9VK5eP1XheYRbYzwjp5px+tAq8sQ3Fl+u6cnRHGyNcaItwimh7RXs/SkdtRxIWxTeFpp3GJcP9DMEaJEg"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 20 Jan 2025 02:18:40 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02tibclazvstpprj\AppIdList	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000001c8bf0c3c683d64eb1deb9d378bafb510000000002000000000010660000000100002000000006bb4d496970284bfc89dd32de208a4d7beb8477d56dd41fc0152389e0aaf85b000000000e8000000002000020000000ad577f7dcf5602dfba4fda15ab4cbfe8bf93ec6da52786624b8d68d3cc1ed41eb00300004e7297dfdfb0630b5e530f7d1a5e436a10ef8c4fc4c3f0149979cc83a4b9d2445dc1613743da78d787b21ee262301f4dd0132aa86fa162357d0aac35b7d3573e4066c6d5d06f3d24db4bc428bb7070275cc71181aec4bcae794fb265dfc7ece316fff313c1d24b62ec1acaeb2d2371a27a9067f002f5e48da727419ed1ffa65a1cefa5f6aa2c6f817e9acf430b9584707a40822af4d3edc01388549e614699f14e664f44d5a5723d34c5e6a24e8370aee8bc6ad99bcfa209146f0d00f4cfd94378ea58bce4a972f584ff2abec5d371e52d4d09109f6fefb1cd6835c7f7d0413c1cccb1f73ced0ee23c87ccec9822313eb37c8d78ae8ff5cc200e8dde1b0813dcd1621e9c44bcde6af8f83ecf2c486da66f4ce854bb60a3ae2feca9990c6ec4a51f6ce74f47267cc9b932ffa1c6a34c1f9065f060c7aa0fab832eb7bd42e4d9a7762444a0d263195bbc31e966873adaeb20942f900754309681187a5851a6269bc29f9bc56b0953acf53331a91bc1d73e1dc92a4114c375c1dc844212e6e1b349e0df7429eef47e22ee020ba127e9304be82f49f4bbfa9d9490ad1bb1cb8597c74df2bd7f90385144121ffed74d419538c79326c4887b37a6c642b21965113e94892d1dfcd77bee6ef090d2af49dcac0b3aa000641516c59b2f3520294bde949c1098068aeae6a0cebe21d8bc68b17c7be6eec2477ba4dbfd97f69289857272ed4adf594568ae56f2a2f59700d0de8e01914f8f1823a528373f793d8bb4340f44ea53ecf488dbc9e8150ad6c92a86f3ccdec0bf33515baa2f96f74842fc1afef024e0d53793a0bb99eec724755bbbe52147dea02b20e0dd2cad4770084f6a6b4fa5867730f9ab2c4fa107bd6333cc3a61dc03ddf1360541133ea1b9af33db304e2d07dadf9277292e52749d60342c74e772db12e152ac49391d0b0817a4ea5d2de397749817eece5761c1fd4531fd4860de495417a2652bc3f3c8c7f674ccba63b37a48bfcd112dc33cc457b7596feba012c1b557b4b7ff9b5fe5e694dfddcc447e57fb72a0228968dc653e779198e8a532bfa30ff954822265a1b93a4979d9917a4a8c4174d6413246091952f91cf9f2d780c03ff2b6e47219eb917a6d0a307b242840de0374a2008bd4fd0520d68d1f39609b464414f0a8f7cdfaf8e171384bd105da2d15c203b33ad1328c979fdd2ee2a42a49b8349929ac231be0386e3b30a1067cc38b3f2350a58f412a57f9fe1f375ac80158f1fc3a64c0f4ad8dce3c9882fad56f3de83ae42ea9d3e293e9761423150540b7a2fe4ec6bce4f566ca99063b33cd17eae59e8b203f21273289b9a2400000002772dada9217e127e3b5d22490991d10293f10e714bc34008822e8116f629775bcadeb4402be4cd1b54a297197dded03a1c7ccbfd231dc8d8dd55bcb4dee69cd	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager	mousocoreworker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00188011F581AE8D"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3776	SCHTASKS.exe
3680	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe
3960	zrhdhlr0.qwm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	840	3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5.exe
Token: SeDebugPrivilege	3960	zrhdhlr0.qwm.exe
Token: SeShutdownPrivilege	1640	svchost.exe
Token: SeCreatePagefilePrivilege	1640	svchost.exe
Token: SeShutdownPrivilege	1640	svchost.exe
Token: SeCreatePagefilePrivilege	1640	svchost.exe
Token: SeShutdownPrivilege	1640	svchost.exe
Token: SeCreatePagefilePrivilege	1640	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1604	svchost.exe
Token: SeIncreaseQuotaPrivilege	1604	svchost.exe
Token: SeSecurityPrivilege	1604	svchost.exe
Token: SeTakeOwnershipPrivilege	1604	svchost.exe
Token: SeLoadDriverPrivilege	1604	svchost.exe
Token: SeBackupPrivilege	1604	svchost.exe
Token: SeRestorePrivilege	1604	svchost.exe
Token: SeShutdownPrivilege	1604	svchost.exe
Token: SeSystemEnvironmentPrivilege	1604	svchost.exe
Token: SeManageVolumePrivilege	1604	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1604	svchost.exe
Token: SeIncreaseQuotaPrivilege	1604	svchost.exe
Token: SeSecurityPrivilege	1604	svchost.exe
Token: SeTakeOwnershipPrivilege	1604	svchost.exe
Token: SeLoadDriverPrivilege	1604	svchost.exe
Token: SeSystemtimePrivilege	1604	svchost.exe
Token: SeBackupPrivilege	1604	svchost.exe
Token: SeRestorePrivilege	1604	svchost.exe
Token: SeShutdownPrivilege	1604	svchost.exe
Token: SeSystemEnvironmentPrivilege	1604	svchost.exe
Token: SeUndockPrivilege	1604	svchost.exe
Token: SeManageVolumePrivilege	1604	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1604	svchost.exe
Token: SeIncreaseQuotaPrivilege	1604	svchost.exe
Token: SeSecurityPrivilege	1604	svchost.exe
Token: SeTakeOwnershipPrivilege	1604	svchost.exe
Token: SeLoadDriverPrivilege	1604	svchost.exe
Token: SeSystemtimePrivilege	1604	svchost.exe
Token: SeBackupPrivilege	1604	svchost.exe
Token: SeRestorePrivilege	1604	svchost.exe
Token: SeShutdownPrivilege	1604	svchost.exe
Token: SeSystemEnvironmentPrivilege	1604	svchost.exe
Token: SeUndockPrivilege	1604	svchost.exe
Token: SeManageVolumePrivilege	1604	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1604	svchost.exe
Token: SeIncreaseQuotaPrivilege	1604	svchost.exe
Token: SeSecurityPrivilege	1604	svchost.exe
Token: SeTakeOwnershipPrivilege	1604	svchost.exe
Token: SeLoadDriverPrivilege	1604	svchost.exe
Token: SeSystemtimePrivilege	1604	svchost.exe
Token: SeBackupPrivilege	1604	svchost.exe
Token: SeRestorePrivilege	1604	svchost.exe
Token: SeShutdownPrivilege	1604	svchost.exe
Token: SeSystemEnvironmentPrivilege	1604	svchost.exe
Token: SeUndockPrivilege	1604	svchost.exe
Token: SeManageVolumePrivilege	1604	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1604	svchost.exe
Token: SeIncreaseQuotaPrivilege	1604	svchost.exe
Token: SeSecurityPrivilege	1604	svchost.exe
Token: SeTakeOwnershipPrivilege	1604	svchost.exe
Token: SeLoadDriverPrivilege	1604	svchost.exe
Token: SeSystemtimePrivilege	1604	svchost.exe
Token: SeBackupPrivilege	1604	svchost.exe
Token: SeRestorePrivilege	1604	svchost.exe
Token: SeShutdownPrivilege	1604	svchost.exe
Token: SeSystemEnvironmentPrivilege	1604	svchost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3540	Explorer.EXE
3540	Explorer.EXE
3540	Explorer.EXE
3540	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 3960	840	3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5.exe	83
PID 840 wrote to memory of 3960	840	3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5.exe	83
PID 840 wrote to memory of 3776	840	3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5.exe	84
PID 840 wrote to memory of 3776	840	3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5.exe	84
PID 3960 wrote to memory of 632	3960	zrhdhlr0.qwm.exe	5
PID 3960 wrote to memory of 704	3960	zrhdhlr0.qwm.exe	7
PID 3960 wrote to memory of 976	3960	zrhdhlr0.qwm.exe	12
PID 3960 wrote to memory of 376	3960	zrhdhlr0.qwm.exe	13
PID 3960 wrote to memory of 776	3960	zrhdhlr0.qwm.exe	14
PID 3960 wrote to memory of 1020	3960	zrhdhlr0.qwm.exe	15
PID 3960 wrote to memory of 1148	3960	zrhdhlr0.qwm.exe	17
PID 3960 wrote to memory of 1156	3960	zrhdhlr0.qwm.exe	18
PID 3960 wrote to memory of 1168	3960	zrhdhlr0.qwm.exe	19
PID 3960 wrote to memory of 1200	3960	zrhdhlr0.qwm.exe	20
PID 3960 wrote to memory of 1260	3960	zrhdhlr0.qwm.exe	21
PID 3960 wrote to memory of 1336	3960	zrhdhlr0.qwm.exe	22
PID 3960 wrote to memory of 1352	3960	zrhdhlr0.qwm.exe	23
PID 3960 wrote to memory of 1416	3960	zrhdhlr0.qwm.exe	24
PID 3960 wrote to memory of 1432	3960	zrhdhlr0.qwm.exe	25
PID 3960 wrote to memory of 1616	3960	zrhdhlr0.qwm.exe	26
PID 3960 wrote to memory of 1648	3960	zrhdhlr0.qwm.exe	27
PID 3960 wrote to memory of 1660	3960	zrhdhlr0.qwm.exe	28
PID 3960 wrote to memory of 1748	3960	zrhdhlr0.qwm.exe	29
PID 3960 wrote to memory of 1772	3960	zrhdhlr0.qwm.exe	30
PID 3960 wrote to memory of 1792	3960	zrhdhlr0.qwm.exe	31
PID 3960 wrote to memory of 1876	3960	zrhdhlr0.qwm.exe	32
PID 3960 wrote to memory of 2036	3960	zrhdhlr0.qwm.exe	33
PID 3960 wrote to memory of 2044	3960	zrhdhlr0.qwm.exe	34
PID 3960 wrote to memory of 1408	3960	zrhdhlr0.qwm.exe	35
PID 3960 wrote to memory of 1604	3960	zrhdhlr0.qwm.exe	36
PID 3960 wrote to memory of 2068	3960	zrhdhlr0.qwm.exe	37
PID 3960 wrote to memory of 2172	3960	zrhdhlr0.qwm.exe	38
PID 3960 wrote to memory of 2288	3960	zrhdhlr0.qwm.exe	40
PID 3960 wrote to memory of 2352	3960	zrhdhlr0.qwm.exe	41
PID 3960 wrote to memory of 2520	3960	zrhdhlr0.qwm.exe	42
PID 3960 wrote to memory of 2528	3960	zrhdhlr0.qwm.exe	43
PID 3960 wrote to memory of 2688	3960	zrhdhlr0.qwm.exe	44
PID 3960 wrote to memory of 2724	3960	zrhdhlr0.qwm.exe	45
PID 3960 wrote to memory of 2744	3960	zrhdhlr0.qwm.exe	46
PID 3960 wrote to memory of 2760	3960	zrhdhlr0.qwm.exe	47
PID 3960 wrote to memory of 2776	3960	zrhdhlr0.qwm.exe	48
PID 3960 wrote to memory of 2788	3960	zrhdhlr0.qwm.exe	49
PID 3960 wrote to memory of 2796	3960	zrhdhlr0.qwm.exe	50
PID 3960 wrote to memory of 3004	3960	zrhdhlr0.qwm.exe	52
PID 3960 wrote to memory of 3060	3960	zrhdhlr0.qwm.exe	53
PID 3960 wrote to memory of 3132	3960	zrhdhlr0.qwm.exe	54
PID 3960 wrote to memory of 3440	3960	zrhdhlr0.qwm.exe	55
PID 3960 wrote to memory of 3540	3960	zrhdhlr0.qwm.exe	56
PID 3960 wrote to memory of 3664	3960	zrhdhlr0.qwm.exe	57
PID 3960 wrote to memory of 3848	3960	zrhdhlr0.qwm.exe	58
PID 3960 wrote to memory of 4008	3960	zrhdhlr0.qwm.exe	60
PID 3960 wrote to memory of 4116	3960	zrhdhlr0.qwm.exe	62
PID 3960 wrote to memory of 4976	3960	zrhdhlr0.qwm.exe	65
PID 3960 wrote to memory of 4612	3960	zrhdhlr0.qwm.exe	67
PID 3960 wrote to memory of 1212	3960	zrhdhlr0.qwm.exe	68
PID 3960 wrote to memory of 2376	3960	zrhdhlr0.qwm.exe	69
PID 3960 wrote to memory of 4364	3960	zrhdhlr0.qwm.exe	70
PID 3960 wrote to memory of 2808	3960	zrhdhlr0.qwm.exe	71
PID 3960 wrote to memory of 4892	3960	zrhdhlr0.qwm.exe	72
PID 3960 wrote to memory of 1908	3960	zrhdhlr0.qwm.exe	73
PID 3960 wrote to memory of 4200	3960	zrhdhlr0.qwm.exe	75
PID 3960 wrote to memory of 3808	3960	zrhdhlr0.qwm.exe	76
PID 3960 wrote to memory of 2132	3960	zrhdhlr0.qwm.exe	79
PID 3960 wrote to memory of 840	3960	zrhdhlr0.qwm.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:376

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Drops file in System32 directory
PID:704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1168
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3004
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1416
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2068

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2688

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2796

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3440

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
PID:3540
- C:\Users\Admin\AppData\Local\Temp\3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5.exe
  "C:\Users\Admin\AppData\Local\Temp\3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Users\Admin\AppData\Local\Temp\zrhdhlr0.qwm.exe
    "C:\Users\Admin\AppData\Local\Temp\zrhdhlr0.qwm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3960
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "Mason3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3776
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "Mason3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3680
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4748
- - C:\Windows\SYSTEM32\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5.exe" "3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2932
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3664

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4008

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2376

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2808

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4892

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4200

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3808

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 3a66d87d574d7b1e5c1ba1bc6ea42fb6 JtAzGMHcP0GHv7uEyoSjcA.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:2404
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:1428

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Drops file in Windows directory
PID:568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
PID:4896

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:4516

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery