xworm | 227dbbb256d5236819196deda5707bc6abd1df5ba9a483edf82443ad12f26930

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3524754987-2550789650-2995585052-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XClient.exe

Executes dropped EXE 1 IoCs

pid	Process
4344	41lxku4l.lo5.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3524754987-2550789650-2995585052-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	XClient.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	pastebin.com
15	pastebin.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018401296910988"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2340	SCHTASKS.exe
4356	SCHTASKS.exe
236	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
864	WerFault.exe
864	WerFault.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
1420	WerFault.exe
1420	WerFault.exe
4640	svchost.exe
4640	svchost.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4640	svchost.exe
4640	svchost.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4040	WerFault.exe
4040	WerFault.exe
4640	svchost.exe
4640	svchost.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe
4344	41lxku4l.lo5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4888	XClient.exe
Token: SeDebugPrivilege	4344	41lxku4l.lo5.exe
Token: SeShutdownPrivilege	3552	Explorer.EXE
Token: SeCreatePagefilePrivilege	3552	Explorer.EXE
Token: SeShutdownPrivilege	3552	Explorer.EXE
Token: SeCreatePagefilePrivilege	3552	Explorer.EXE
Token: SeAuditPrivilege	2272	svchost.exe
Token: SeShutdownPrivilege	3552	Explorer.EXE
Token: SeCreatePagefilePrivilege	3552	Explorer.EXE
Token: SeShutdownPrivilege	3552	Explorer.EXE
Token: SeCreatePagefilePrivilege	3552	Explorer.EXE
Token: SeShutdownPrivilege	3552	Explorer.EXE
Token: SeCreatePagefilePrivilege	3552	Explorer.EXE
Token: SeShutdownPrivilege	3552	Explorer.EXE
Token: SeCreatePagefilePrivilege	3552	Explorer.EXE
Token: SeShutdownPrivilege	3552	Explorer.EXE
Token: SeCreatePagefilePrivilege	3552	Explorer.EXE
Token: SeShutdownPrivilege	3552	Explorer.EXE
Token: SeCreatePagefilePrivilege	3552	Explorer.EXE
Token: SeShutdownPrivilege	3552	Explorer.EXE
Token: SeCreatePagefilePrivilege	3552	Explorer.EXE
Token: SeShutdownPrivilege	3552	Explorer.EXE
Token: SeCreatePagefilePrivilege	3552	Explorer.EXE
Token: SeShutdownPrivilege	3552	Explorer.EXE
Token: SeCreatePagefilePrivilege	3552	Explorer.EXE
Token: SeShutdownPrivilege	3552	Explorer.EXE
Token: SeCreatePagefilePrivilege	3552	Explorer.EXE
Token: SeShutdownPrivilege	3552	Explorer.EXE
Token: SeCreatePagefilePrivilege	3552	Explorer.EXE
Token: SeShutdownPrivilege	3552	Explorer.EXE
Token: SeCreatePagefilePrivilege	3552	Explorer.EXE
Token: SeShutdownPrivilege	4460	svchost.exe
Token: SeCreatePagefilePrivilege	4460	svchost.exe
Token: SeShutdownPrivilege	4460	svchost.exe
Token: SeCreatePagefilePrivilege	4460	svchost.exe
Token: SeShutdownPrivilege	4460	svchost.exe
Token: SeCreatePagefilePrivilege	4460	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2072	svchost.exe
Token: SeIncreaseQuotaPrivilege	2072	svchost.exe
Token: SeSecurityPrivilege	2072	svchost.exe
Token: SeTakeOwnershipPrivilege	2072	svchost.exe
Token: SeLoadDriverPrivilege	2072	svchost.exe
Token: SeBackupPrivilege	2072	svchost.exe
Token: SeRestorePrivilege	2072	svchost.exe
Token: SeShutdownPrivilege	2072	svchost.exe
Token: SeSystemEnvironmentPrivilege	2072	svchost.exe
Token: SeManageVolumePrivilege	2072	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2072	svchost.exe
Token: SeIncreaseQuotaPrivilege	2072	svchost.exe
Token: SeSecurityPrivilege	2072	svchost.exe
Token: SeTakeOwnershipPrivilege	2072	svchost.exe
Token: SeLoadDriverPrivilege	2072	svchost.exe
Token: SeSystemtimePrivilege	2072	svchost.exe
Token: SeBackupPrivilege	2072	svchost.exe
Token: SeRestorePrivilege	2072	svchost.exe
Token: SeShutdownPrivilege	2072	svchost.exe
Token: SeSystemEnvironmentPrivilege	2072	svchost.exe
Token: SeUndockPrivilege	2072	svchost.exe
Token: SeManageVolumePrivilege	2072	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2072	svchost.exe
Token: SeIncreaseQuotaPrivilege	2072	svchost.exe
Token: SeSecurityPrivilege	2072	svchost.exe
Token: SeTakeOwnershipPrivilege	2072	svchost.exe
Token: SeLoadDriverPrivilege	2072	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3552	Explorer.EXE
3552	Explorer.EXE
3552	Explorer.EXE

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3552	Explorer.EXE
3552	Explorer.EXE
3552	Explorer.EXE
3552	Explorer.EXE
3552	Explorer.EXE
3552	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3552	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4344	4888	XClient.exe	84
PID 4888 wrote to memory of 4344	4888	XClient.exe	84
PID 4888 wrote to memory of 2340	4888	XClient.exe	85
PID 4888 wrote to memory of 2340	4888	XClient.exe	85
PID 4344 wrote to memory of 620	4344	41lxku4l.lo5.exe	5
PID 4344 wrote to memory of 684	4344	41lxku4l.lo5.exe	7
PID 4344 wrote to memory of 968	4344	41lxku4l.lo5.exe	12
PID 4344 wrote to memory of 472	4344	41lxku4l.lo5.exe	13
PID 4344 wrote to memory of 764	4344	41lxku4l.lo5.exe	14
PID 4344 wrote to memory of 628	4344	41lxku4l.lo5.exe	15
PID 4344 wrote to memory of 868	4344	41lxku4l.lo5.exe	16
PID 4344 wrote to memory of 1056	4344	41lxku4l.lo5.exe	17
PID 4344 wrote to memory of 1080	4344	41lxku4l.lo5.exe	18
PID 4344 wrote to memory of 1172	4344	41lxku4l.lo5.exe	19
PID 4344 wrote to memory of 1216	4344	41lxku4l.lo5.exe	20
PID 4344 wrote to memory of 1288	4344	41lxku4l.lo5.exe	22
PID 4344 wrote to memory of 1344	4344	41lxku4l.lo5.exe	23
PID 4344 wrote to memory of 1472	4344	41lxku4l.lo5.exe	24
PID 4344 wrote to memory of 1496	4344	41lxku4l.lo5.exe	25
PID 4344 wrote to memory of 1504	4344	41lxku4l.lo5.exe	26
PID 4344 wrote to memory of 1516	4344	41lxku4l.lo5.exe	27
PID 4344 wrote to memory of 1592	4344	41lxku4l.lo5.exe	28
PID 4344 wrote to memory of 1708	4344	41lxku4l.lo5.exe	29
PID 4344 wrote to memory of 1748	4344	41lxku4l.lo5.exe	30
PID 4344 wrote to memory of 1792	4344	41lxku4l.lo5.exe	31
PID 4344 wrote to memory of 1916	4344	41lxku4l.lo5.exe	32
PID 4344 wrote to memory of 2044	4344	41lxku4l.lo5.exe	33
PID 4344 wrote to memory of 1152	4344	41lxku4l.lo5.exe	34
PID 4344 wrote to memory of 1212	4344	41lxku4l.lo5.exe	35
PID 4344 wrote to memory of 1656	4344	41lxku4l.lo5.exe	36
PID 4344 wrote to memory of 2072	4344	41lxku4l.lo5.exe	37
PID 4344 wrote to memory of 2116	4344	41lxku4l.lo5.exe	38
PID 4344 wrote to memory of 2264	4344	41lxku4l.lo5.exe	39
PID 4344 wrote to memory of 2412	4344	41lxku4l.lo5.exe	41
PID 4344 wrote to memory of 2420	4344	41lxku4l.lo5.exe	42
PID 4344 wrote to memory of 2688	4344	41lxku4l.lo5.exe	43
PID 4344 wrote to memory of 2700	4344	41lxku4l.lo5.exe	44
PID 4344 wrote to memory of 2836	4344	41lxku4l.lo5.exe	46
PID 4344 wrote to memory of 2844	4344	41lxku4l.lo5.exe	47
PID 4344 wrote to memory of 2876	4344	41lxku4l.lo5.exe	48
PID 4344 wrote to memory of 2884	4344	41lxku4l.lo5.exe	49
PID 4344 wrote to memory of 3032	4344	41lxku4l.lo5.exe	50
PID 4344 wrote to memory of 2272	4344	41lxku4l.lo5.exe	51
PID 4344 wrote to memory of 3076	4344	41lxku4l.lo5.exe	52
PID 4344 wrote to memory of 3104	4344	41lxku4l.lo5.exe	53
PID 4344 wrote to memory of 3124	4344	41lxku4l.lo5.exe	54
PID 4344 wrote to memory of 3376	4344	41lxku4l.lo5.exe	55
PID 4344 wrote to memory of 3432	4344	41lxku4l.lo5.exe	56
PID 4344 wrote to memory of 3552	4344	41lxku4l.lo5.exe	57
PID 4344 wrote to memory of 3812	4344	41lxku4l.lo5.exe	58
PID 4344 wrote to memory of 4052	4344	41lxku4l.lo5.exe	60
PID 4344 wrote to memory of 4132	4344	41lxku4l.lo5.exe	62
PID 4344 wrote to memory of 4376	4344	41lxku4l.lo5.exe	63
PID 4344 wrote to memory of 2360	4344	41lxku4l.lo5.exe	66
PID 4344 wrote to memory of 5060	4344	41lxku4l.lo5.exe	68
PID 4344 wrote to memory of 4756	4344	41lxku4l.lo5.exe	69
PID 4344 wrote to memory of 1192	4344	41lxku4l.lo5.exe	70
PID 4344 wrote to memory of 4968	4344	41lxku4l.lo5.exe	71
PID 4344 wrote to memory of 1200	4344	41lxku4l.lo5.exe	72
PID 4344 wrote to memory of 3388	4344	41lxku4l.lo5.exe	73
PID 4344 wrote to memory of 3736	4344	41lxku4l.lo5.exe	74
PID 4344 wrote to memory of 4464	4344	41lxku4l.lo5.exe	75
PID 4344 wrote to memory of 3584	4344	41lxku4l.lo5.exe	76
PID 4344 wrote to memory of 992	4344	41lxku4l.lo5.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1056
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1056 -s 2588
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1420
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1056 -s 3792
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4040
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 620 -s 408
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:864

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1288
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1496

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1516
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2688
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1168
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1892
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3520
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1668
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3232
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2116

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:3076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:3104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:3124

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3552
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Users\Admin\AppData\Local\Temp\41lxku4l.lo5.exe
    "C:\Users\Admin\AppData\Local\Temp\41lxku4l.lo5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4344
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "MasonXClient.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\XClient.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2340
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "MasonXClient.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\XClient.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4356
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4116
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:800
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4052

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4132

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4376

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4756

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1192

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3388

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3736

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:4464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3740

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:4640
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 504 -p 1056 -ip 1056
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:1840
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 528 -p 620 -ip 620
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:4848
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 620 -p 1056 -ip 1056
  2⤵
  PID:4368
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 532 -p 4888 -ip 4888
  2⤵
  PID:1832

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 7678d5c5ebb4a641684c421d04f452e4 iUJhg3MNo0GLiq/pW/cUGw.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:4768
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Writes to the Master Boot Record (MBR)
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery