xworm | 227dbbb256d5236819196deda5707bc6abd1df5ba9a483edf82443ad12f26930

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	XClient.exe

Executes dropped EXE 1 IoCs

pid	Process
3976	gfwkwksb.psl.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	pastebin.com
25	pastebin.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\MasonXClient.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 62 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "001800127D1B497B"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1696	SCHTASKS.exe
2936	SCHTASKS.exe
5112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
2876	WerFault.exe
2876	WerFault.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
448	svchost.exe
448	svchost.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe
3976	gfwkwksb.psl.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4228	XClient.exe
Token: SeDebugPrivilege	3976	gfwkwksb.psl.exe
Token: SeShutdownPrivilege	3464	Explorer.EXE
Token: SeCreatePagefilePrivilege	3464	Explorer.EXE
Token: SeShutdownPrivilege	3464	Explorer.EXE
Token: SeCreatePagefilePrivilege	3464	Explorer.EXE
Token: SeCreateGlobalPrivilege	2840	dwm.exe
Token: SeChangeNotifyPrivilege	2840	dwm.exe
Token: 33	2840	dwm.exe
Token: SeIncBasePriorityPrivilege	2840	dwm.exe
Token: SeShutdownPrivilege	3464	Explorer.EXE
Token: SeCreatePagefilePrivilege	3464	Explorer.EXE
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeShutdownPrivilege	3464	Explorer.EXE
Token: SeCreatePagefilePrivilege	3464	Explorer.EXE
Token: SeShutdownPrivilege	3308	svchost.exe
Token: SeCreatePagefilePrivilege	3308	svchost.exe
Token: SeShutdownPrivilege	3308	svchost.exe
Token: SeCreatePagefilePrivilege	3308	svchost.exe
Token: SeShutdownPrivilege	3308	svchost.exe
Token: SeCreatePagefilePrivilege	3308	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1740	svchost.exe
Token: SeIncreaseQuotaPrivilege	1740	svchost.exe
Token: SeSecurityPrivilege	1740	svchost.exe
Token: SeTakeOwnershipPrivilege	1740	svchost.exe
Token: SeLoadDriverPrivilege	1740	svchost.exe
Token: SeBackupPrivilege	1740	svchost.exe
Token: SeRestorePrivilege	1740	svchost.exe
Token: SeShutdownPrivilege	1740	svchost.exe
Token: SeSystemEnvironmentPrivilege	1740	svchost.exe
Token: SeManageVolumePrivilege	1740	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1740	svchost.exe
Token: SeIncreaseQuotaPrivilege	1740	svchost.exe
Token: SeSecurityPrivilege	1740	svchost.exe
Token: SeTakeOwnershipPrivilege	1740	svchost.exe
Token: SeLoadDriverPrivilege	1740	svchost.exe
Token: SeSystemtimePrivilege	1740	svchost.exe
Token: SeBackupPrivilege	1740	svchost.exe
Token: SeRestorePrivilege	1740	svchost.exe
Token: SeShutdownPrivilege	1740	svchost.exe
Token: SeSystemEnvironmentPrivilege	1740	svchost.exe
Token: SeUndockPrivilege	1740	svchost.exe
Token: SeManageVolumePrivilege	1740	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1740	svchost.exe
Token: SeIncreaseQuotaPrivilege	1740	svchost.exe
Token: SeSecurityPrivilege	1740	svchost.exe
Token: SeTakeOwnershipPrivilege	1740	svchost.exe
Token: SeLoadDriverPrivilege	1740	svchost.exe
Token: SeSystemtimePrivilege	1740	svchost.exe
Token: SeBackupPrivilege	1740	svchost.exe
Token: SeRestorePrivilege	1740	svchost.exe
Token: SeShutdownPrivilege	1740	svchost.exe
Token: SeSystemEnvironmentPrivilege	1740	svchost.exe
Token: SeUndockPrivilege	1740	svchost.exe
Token: SeManageVolumePrivilege	1740	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1740	svchost.exe
Token: SeIncreaseQuotaPrivilege	1740	svchost.exe
Token: SeSecurityPrivilege	1740	svchost.exe
Token: SeTakeOwnershipPrivilege	1740	svchost.exe
Token: SeLoadDriverPrivilege	1740	svchost.exe
Token: SeSystemtimePrivilege	1740	svchost.exe
Token: SeBackupPrivilege	1740	svchost.exe
Token: SeRestorePrivilege	1740	svchost.exe
Token: SeShutdownPrivilege	1740	svchost.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE
3464	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3464	Explorer.EXE
3464	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4552	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 3976	4228	XClient.exe	85
PID 4228 wrote to memory of 3976	4228	XClient.exe	85
PID 4228 wrote to memory of 1696	4228	XClient.exe	86
PID 4228 wrote to memory of 1696	4228	XClient.exe	86
PID 3976 wrote to memory of 628	3976	gfwkwksb.psl.exe	5
PID 3976 wrote to memory of 696	3976	gfwkwksb.psl.exe	7
PID 3976 wrote to memory of 976	3976	gfwkwksb.psl.exe	12
PID 3976 wrote to memory of 376	3976	gfwkwksb.psl.exe	13
PID 696 wrote to memory of 2768	696	lsass.exe	48
PID 3976 wrote to memory of 528	3976	gfwkwksb.psl.exe	14
PID 696 wrote to memory of 2768	696	lsass.exe	48
PID 3976 wrote to memory of 1012	3976	gfwkwksb.psl.exe	16
PID 3976 wrote to memory of 1120	3976	gfwkwksb.psl.exe	17
PID 3976 wrote to memory of 1128	3976	gfwkwksb.psl.exe	18
PID 3976 wrote to memory of 1136	3976	gfwkwksb.psl.exe	19
PID 3976 wrote to memory of 1144	3976	gfwkwksb.psl.exe	20
PID 696 wrote to memory of 2768	696	lsass.exe	48
PID 3976 wrote to memory of 1224	3976	gfwkwksb.psl.exe	21
PID 3976 wrote to memory of 1304	3976	gfwkwksb.psl.exe	22
PID 3976 wrote to memory of 1328	3976	gfwkwksb.psl.exe	23
PID 3976 wrote to memory of 1432	3976	gfwkwksb.psl.exe	24
PID 3976 wrote to memory of 1440	3976	gfwkwksb.psl.exe	25
PID 3976 wrote to memory of 1572	3976	gfwkwksb.psl.exe	26
PID 3976 wrote to memory of 1580	3976	gfwkwksb.psl.exe	27
PID 3976 wrote to memory of 1640	3976	gfwkwksb.psl.exe	28
PID 3976 wrote to memory of 1708	3976	gfwkwksb.psl.exe	29
PID 3976 wrote to memory of 1744	3976	gfwkwksb.psl.exe	30
PID 3976 wrote to memory of 1756	3976	gfwkwksb.psl.exe	31
PID 3976 wrote to memory of 1832	3976	gfwkwksb.psl.exe	32
PID 3976 wrote to memory of 1964	3976	gfwkwksb.psl.exe	33
PID 3976 wrote to memory of 1972	3976	gfwkwksb.psl.exe	34
PID 3976 wrote to memory of 1996	3976	gfwkwksb.psl.exe	35
PID 3976 wrote to memory of 64	3976	gfwkwksb.psl.exe	36
PID 3976 wrote to memory of 1740	3976	gfwkwksb.psl.exe	37
PID 3976 wrote to memory of 2076	3976	gfwkwksb.psl.exe	38
PID 3976 wrote to memory of 2228	3976	gfwkwksb.psl.exe	40
PID 3976 wrote to memory of 2292	3976	gfwkwksb.psl.exe	41
PID 3976 wrote to memory of 2452	3976	gfwkwksb.psl.exe	42
PID 3976 wrote to memory of 2472	3976	gfwkwksb.psl.exe	43
PID 3976 wrote to memory of 2552	3976	gfwkwksb.psl.exe	44
PID 3976 wrote to memory of 2600	3976	gfwkwksb.psl.exe	45
PID 3976 wrote to memory of 2712	3976	gfwkwksb.psl.exe	46
PID 3976 wrote to memory of 2736	3976	gfwkwksb.psl.exe	47
PID 3976 wrote to memory of 2768	3976	gfwkwksb.psl.exe	48
PID 3976 wrote to memory of 2776	3976	gfwkwksb.psl.exe	49
PID 3976 wrote to memory of 2788	3976	gfwkwksb.psl.exe	50
PID 3976 wrote to memory of 2800	3976	gfwkwksb.psl.exe	51
PID 3976 wrote to memory of 2880	3976	gfwkwksb.psl.exe	52
PID 3976 wrote to memory of 3084	3976	gfwkwksb.psl.exe	53
PID 3976 wrote to memory of 3464	3976	gfwkwksb.psl.exe	55
PID 3976 wrote to memory of 3476	3976	gfwkwksb.psl.exe	56
PID 3976 wrote to memory of 3672	3976	gfwkwksb.psl.exe	57
PID 3976 wrote to memory of 3840	3976	gfwkwksb.psl.exe	58
PID 3976 wrote to memory of 4056	3976	gfwkwksb.psl.exe	60
PID 3976 wrote to memory of 4156	3976	gfwkwksb.psl.exe	62
PID 3976 wrote to memory of 5012	3976	gfwkwksb.psl.exe	64
PID 3976 wrote to memory of 4784	3976	gfwkwksb.psl.exe	66
PID 3976 wrote to memory of 720	3976	gfwkwksb.psl.exe	67
PID 3976 wrote to memory of 3832	3976	gfwkwksb.psl.exe	68
PID 3976 wrote to memory of 4896	3976	gfwkwksb.psl.exe	70
PID 3976 wrote to memory of 3320	3976	gfwkwksb.psl.exe	71
PID 3976 wrote to memory of 4920	3976	gfwkwksb.psl.exe	72
PID 3976 wrote to memory of 1072	3976	gfwkwksb.psl.exe	73
PID 3976 wrote to memory of 3196	3976	gfwkwksb.psl.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:376
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 376 -s 3564
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2876
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2840

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1120
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2776
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  PID:4128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1432
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:64

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2736

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2880

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3084

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3464
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Users\Admin\AppData\Local\Temp\gfwkwksb.psl.exe
    "C:\Users\Admin\AppData\Local\Temp\gfwkwksb.psl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3976
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "MasonXClient.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\XClient.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1696
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5028
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "MasonXClient.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\XClient.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2936
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3532
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5024
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1620
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3672

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3840

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4156

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:5012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3320

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4920

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4800

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:448

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:564

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 524ed5dbf78ebe21c90dab37103d9b04 oXcEQ6No3kWufrgGh5YzPQ.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:4664
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery