dcrat | 429a6c2aa2f62fe5b656de97dd25152cd8e653d92a8dd5e75d067308b784bfaf

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Executes dropped EXE 5 IoCs

pid	Process
2728	MpDefenderCoreService.exe
1792	twain32.exe
2064	updater.exe
780	MsServerHost.exe
2952	WmiPrvSE.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
2796	af4b66ff9b1f5830080860380efa81e4.exe
2796	af4b66ff9b1f5830080860380efa81e4.exe
2984	taskeng.exe
2144	cmd.exe
2144	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MsServerHost = "\"C:\\fontwin\\MsServerHost.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Uninstall Information\\smss.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\fontwin\\OSPPSVC.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\fontwin\\OSPPSVC.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\WmiPrvSE.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\WmiPrvSE.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsServerHost = "\"C:\\fontwin\\MsServerHost.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Uninstall Information\\smss.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\spoolsv.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\spoolsv.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Windows Defender\\en-US\\cmd.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Windows Defender\\en-US\\cmd.exe\""	MsServerHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
4	pastebin.com

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2908	powercfg.exe
1764	powercfg.exe
2080	cmd.exe
2588	powercfg.exe
2956	powercfg.exe
2252	cmd.exe
3028	powercfg.exe
2280	powercfg.exe
1740	powercfg.exe
2416	powercfg.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\Tasks\cmdc	svchost.exe
File created	C:\Windows\System32\Tasks\MsServerHostM	svchost.exe
File created	\??\c:\Windows\System32\1woi1z.exe	csc.exe
File created	C:\Windows\System32\Tasks\OSPPSVC	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\OSPPSVC	svchost.exe
File created	C:\Windows\System32\Tasks\WmiPrvSEW	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\spoolsv	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\OSPPSVCO	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\cmdc	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\smsss	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\WmiPrvSE	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\smss	svchost.exe
File created	C:\Windows\System32\Tasks\WmiPrvSE	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\Tasks\spoolsv	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\WmiPrvSEW	svchost.exe
File created	C:\Windows\System32\Tasks\MsServerHost	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\MsServerHost	svchost.exe
File created	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File created	C:\Windows\System32\Tasks\smsss	svchost.exe
File created	C:\Windows\System32\Tasks\smss	svchost.exe
File created	\??\c:\Windows\System32\CSCF8C5EBB1E4745CD8FC248C1FAAB76AA.TMP	csc.exe
File created	C:\Windows\System32\Tasks\spoolsvs	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\spoolsvs	svchost.exe
File created	C:\Windows\System32\Tasks\OSPPSVCO	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\MsServerHostM	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\Tasks\cmd	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\cmd	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1792 set thread context of 2412	1792	twain32.exe	45
PID 2064 set thread context of 1372	2064	updater.exe	68
PID 2064 set thread context of 2432	2064	updater.exe	76
PID 2064 set thread context of 1656	2064	updater.exe	77

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\cmd.exe	MsServerHost.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\ebf1f9fa8afd6d	MsServerHost.exe
File created	C:\Program Files\Uninstall Information\smss.exe	MsServerHost.exe
File created	C:\Program Files\Uninstall Information\69ddcba757bf72	MsServerHost.exe
File created	C:\Program Files\Google\Chrome\updater.exe	twain32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2940	sc.exe
2872	sc.exe
3012	sc.exe
912	sc.exe
960	sc.exe
760	sc.exe
1004	sc.exe
2988	sc.exe
2256	sc.exe
1516	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af4b66ff9b1f5830080860380efa81e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpDefenderCoreService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 10651de3f66fdb01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	dialer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2676	schtasks.exe
2352	schtasks.exe
2796	schtasks.exe
1924	schtasks.exe
2008	schtasks.exe
1880	schtasks.exe
2880	schtasks.exe
2892	schtasks.exe
2764	schtasks.exe
2516	schtasks.exe
2740	schtasks.exe
1764	schtasks.exe
2464	schtasks.exe
1416	schtasks.exe
2448	schtasks.exe
2088	schtasks.exe
1516	schtasks.exe
2736	schtasks.exe
960	schtasks.exe
2244	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1792	twain32.exe
1792	twain32.exe
2588	powershell.exe
1792	twain32.exe
1792	twain32.exe
1792	twain32.exe
1792	twain32.exe
1792	twain32.exe
1792	twain32.exe
1792	twain32.exe
1792	twain32.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2668	powershell.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
1792	twain32.exe
1792	twain32.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe
2412	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2412	dialer.exe
Token: SeShutdownPrivilege	2908	powercfg.exe
Token: SeAuditPrivilege	856	svchost.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeShutdownPrivilege	1764	powercfg.exe
Token: SeShutdownPrivilege	3028	powercfg.exe
Token: SeShutdownPrivilege	2280	powercfg.exe
Token: SeAuditPrivilege	856	svchost.exe
Token: SeDebugPrivilege	284	powershell.exe
Token: SeDebugPrivilege	1372	dialer.exe
Token: SeShutdownPrivilege	1740	powercfg.exe
Token: SeAuditPrivilege	856	svchost.exe
Token: SeShutdownPrivilege	2416	powercfg.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeShutdownPrivilege	2588	powercfg.exe
Token: SeShutdownPrivilege	2956	powercfg.exe
Token: SeDebugPrivilege	2064	updater.exe
Token: SeLockMemoryPrivilege	1656	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
108	conhost.exe
2616	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2728	2796	af4b66ff9b1f5830080860380efa81e4.exe	31
PID 2796 wrote to memory of 2728	2796	af4b66ff9b1f5830080860380efa81e4.exe	31
PID 2796 wrote to memory of 2728	2796	af4b66ff9b1f5830080860380efa81e4.exe	31
PID 2796 wrote to memory of 2728	2796	af4b66ff9b1f5830080860380efa81e4.exe	31
PID 2796 wrote to memory of 1792	2796	af4b66ff9b1f5830080860380efa81e4.exe	32
PID 2796 wrote to memory of 1792	2796	af4b66ff9b1f5830080860380efa81e4.exe	32
PID 2796 wrote to memory of 1792	2796	af4b66ff9b1f5830080860380efa81e4.exe	32
PID 2796 wrote to memory of 1792	2796	af4b66ff9b1f5830080860380efa81e4.exe	32
PID 2728 wrote to memory of 1548	2728	MpDefenderCoreService.exe	33
PID 2728 wrote to memory of 1548	2728	MpDefenderCoreService.exe	33
PID 2728 wrote to memory of 1548	2728	MpDefenderCoreService.exe	33
PID 2728 wrote to memory of 1548	2728	MpDefenderCoreService.exe	33
PID 2276 wrote to memory of 1004	2276	cmd.exe	38
PID 2276 wrote to memory of 1004	2276	cmd.exe	38
PID 2276 wrote to memory of 1004	2276	cmd.exe	38
PID 2276 wrote to memory of 2872	2276	cmd.exe	39
PID 2276 wrote to memory of 2872	2276	cmd.exe	39
PID 2276 wrote to memory of 2872	2276	cmd.exe	39
PID 2276 wrote to memory of 2988	2276	cmd.exe	40
PID 2276 wrote to memory of 2988	2276	cmd.exe	40
PID 2276 wrote to memory of 2988	2276	cmd.exe	40
PID 2276 wrote to memory of 3012	2276	cmd.exe	41
PID 2276 wrote to memory of 3012	2276	cmd.exe	41
PID 2276 wrote to memory of 3012	2276	cmd.exe	41
PID 2276 wrote to memory of 2256	2276	cmd.exe	42
PID 2276 wrote to memory of 2256	2276	cmd.exe	42
PID 2276 wrote to memory of 2256	2276	cmd.exe	42
PID 1792 wrote to memory of 2412	1792	twain32.exe	45
PID 2252 wrote to memory of 2908	2252	cmd.exe	48
PID 2252 wrote to memory of 2908	2252	cmd.exe	48
PID 2252 wrote to memory of 2908	2252	cmd.exe	48
PID 2412 wrote to memory of 432	2412	dialer.exe	5
PID 2412 wrote to memory of 476	2412	dialer.exe	6
PID 2412 wrote to memory of 492	2412	dialer.exe	7
PID 2412 wrote to memory of 500	2412	dialer.exe	8
PID 2412 wrote to memory of 608	2412	dialer.exe	9
PID 2412 wrote to memory of 688	2412	dialer.exe	10
PID 2412 wrote to memory of 764	2412	dialer.exe	11
PID 2412 wrote to memory of 828	2412	dialer.exe	12
PID 2412 wrote to memory of 856	2412	dialer.exe	13
PID 2412 wrote to memory of 988	2412	dialer.exe	15
PID 2412 wrote to memory of 300	2412	dialer.exe	16
PID 2412 wrote to memory of 928	2412	dialer.exe	17
PID 2412 wrote to memory of 1080	2412	dialer.exe	18
PID 2412 wrote to memory of 1120	2412	dialer.exe	19
PID 2412 wrote to memory of 1172	2412	dialer.exe	20
PID 2412 wrote to memory of 1220	2412	dialer.exe	21
PID 2412 wrote to memory of 1200	2412	dialer.exe	23
PID 2412 wrote to memory of 1508	2412	dialer.exe	24
PID 2412 wrote to memory of 2400	2412	dialer.exe	26
PID 2412 wrote to memory of 1920	2412	dialer.exe	27
PID 2412 wrote to memory of 1792	2412	dialer.exe	32
PID 2412 wrote to memory of 2252	2412	dialer.exe	43
PID 2412 wrote to memory of 2260	2412	dialer.exe	44
PID 2412 wrote to memory of 2668	2412	dialer.exe	46
PID 2412 wrote to memory of 1976	2412	dialer.exe	47
PID 2412 wrote to memory of 2908	2412	dialer.exe	48
PID 2252 wrote to memory of 1764	2252	cmd.exe	49
PID 2252 wrote to memory of 1764	2252	cmd.exe	49
PID 2252 wrote to memory of 1764	2252	cmd.exe	49
PID 2412 wrote to memory of 1764	2412	dialer.exe	49
PID 2412 wrote to memory of 1764	2412	dialer.exe	49
PID 2252 wrote to memory of 3028	2252	cmd.exe	50
PID 2252 wrote to memory of 3028	2252	cmd.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:608
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1200
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks BIOS information in registry
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2992
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2464
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2764
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2008
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:1416
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:1880
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2880
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\fontwin\OSPPSVC.exe'" /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:960
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\fontwin\OSPPSVC.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2516
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\fontwin\OSPPSVC.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:1924
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\en-US\cmd.exe'" /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2676
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\cmd.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2740
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\en-US\cmd.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:1764
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2244
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2448
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2088
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MsServerHostM" /sc MINUTE /mo 11 /tr "'C:\fontwin\MsServerHost.exe'" /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2352
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MsServerHost" /sc ONLOGON /tr "'C:\fontwin\MsServerHost.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:1516
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MsServerHostM" /sc MINUTE /mo 10 /tr "'C:\fontwin\MsServerHost.exe'" /rl HIGHEST /f
      4⤵
      Process spawned unexpected child process
      Scheduled Task/Job: Scheduled Task
      PID:2736
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
    3⤵
    PID:1152
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:688
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Indicator Removal: Clear Windows Event Logs
  PID:764
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:828
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1172
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {C2BE5CF9-609F-4100-8E98-3A38A2AD7ADB} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Loads dropped DLL
    PID:2984
  - - C:\Program Files\Google\Chrome\updater.exe
      "C:\Program Files\Google\Chrome\updater.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      PID:2064
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:988
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:300
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:928
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1080
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1120
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1508
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2400
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1920

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\af4b66ff9b1f5830080860380efa81e4.exe
  "C:\Users\Admin\AppData\Local\Temp\af4b66ff9b1f5830080860380efa81e4.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\MpDefenderCoreService.exe
    "C:\Users\Admin\AppData\Local\Temp\MpDefenderCoreService.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\fontwin\n5YK.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1548
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\fontwin\eUNvwPScHJBqRVxJMAbWN67h5pJ3FqxG.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2144
      - C:\fontwin\MsServerHost.exe
        
        "C:\fontwin/MsServerHost.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:780
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h2bydji4\h2bydji4.cmdline"
        7⤵
        Drops file in System32 directory
        
        PID:2416
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57C1.tmp" "c:\Windows\System32\CSCF8C5EBB1E4745CD8FC248C1FAAB76AA.TMP"
        8⤵
        
        PID:2772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/fontwin/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontwin\OSPPSVC.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\en-US\cmd.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontwin\MsServerHost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N1JvCD0U4V.bat"
        7⤵
        
        PID:2456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:912
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        
        PID:2952
- - C:\Users\Admin\AppData\Local\Temp\twain32.exe
    "C:\Users\Admin\AppData\Local\Temp\twain32.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1004
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2872
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2988
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3012
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2256
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xzibzypo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2796
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:284
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:484
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1516
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:912
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:960
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:760
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2940
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2080
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2416
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xzibzypo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2892
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2432
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3374451471224418754-1180953492-716355101619345031760702248-278023769-1815691363"
1⤵
PID:2260

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-954960114560193767-1195604446-20550055381571096863588642156467266401715469987"
1⤵
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6689557985239156-21409593651424774707154321029611885975472098081461069740714"
1⤵
PID:2088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1117317759-336522195-2102250613-1479846943-748285764-8561551872052768352-945280693"
1⤵
PID:2196

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14179978423238053-710546584-125936801312207383846240806-512562410-230682562"
1⤵
PID:2384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1902251297-11398988291491070308-10704947451018182307-5595545417046196511086570513"
1⤵
PID:1068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1310898339-1577709541562882794-8287433723437569381913197171748103354-700150610"
1⤵
PID:1560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "960586500-1591270466-2118836754-1846547025-362143469-18351302598894664211238139124"
1⤵
- Suspicious use of SetWindowsHookEx
PID:108

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1366303725950198600-154236502-617262121-394967234216368742-2145734290757686548"
1⤵
PID:2932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2119130958-2048556091-12199104661650892143-1100427106614761927-2057555943-1962169928"
1⤵
PID:1604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "294905798-619540427-1653221537-132894607818408142461603451742-848178435-1898618479"
1⤵
PID:2068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-382739092-35387848418645913891786016875-1056415192-139478295-17002566851875213117"
1⤵
PID:2396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1018596427-1085593929358862790-1536372103949961462574384359329506444-1911387684"
1⤵
PID:1712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-525864195-13721529781921491436-1449384342-1090231802-894628207401543811-1178412776"
1⤵
PID:2960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18473449231339103228-3280602531115565339195121854010493304152059925514-815391280"
1⤵
PID:1964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6287896161317182500-12597230757385125735024525871985170015847322650-2082660202"
1⤵
PID:2592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "158046649510823312181562678511-1575214310-116562498912875883721471609897746512515"
1⤵
PID:2824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-340240098-8827834241507220188-160004486588478621290406766-20977218081023594312"
1⤵
PID:2972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1787302124-6811885531460251358-1524297291-2022847771-1369712380-1605885735195327450"
1⤵
PID:2304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-95511251317565346-15440680472113746126393852575630061218821105396-610768274"
1⤵
PID:1764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15681838511776265868-1608180363814277708-2120085684418855639-753702719115323822"
1⤵
PID:396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1866977752-169162693-838056525-9571226125694776741647409401-2065718020-255113530"
1⤵
PID:2784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10918381646400223171853285226-1874962520-801349061-1733527010-847443460947845746"
1⤵
PID:3036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1663317145-120889971659270095-459430077-941180177136951005111437826881789307201"
1⤵
PID:2464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-952058299-3431936841426794388-181620559-2133357448-1932761801518159025-635891779"
1⤵
PID:3040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-330170686-17228071441192761299-1597886014556012658-1970828134-502951829-397911915"
1⤵
PID:3028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-599683044-57743130077260807-452603791-4379642672045468745-3814285011328612145"
1⤵
PID:680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1159100030-649251102063668145-674537379-1911043589-165047479-2369281701666356025"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery