xworm | 9d08e5e62b409ef1ccd05c7996eb5432e4a36f55642cb7441d153909e823f144

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	9d08e5e62b409ef1ccd05c7996eb5432e4a36f55642cb7441d153909e823f144.exe

Executes dropped EXE 1 IoCs

pid	Process
4872	g2onoebe.tqz.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotification.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotification.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "001840129631C35A"	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3756	SCHTASKS.exe
2820	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
5116	WerFault.exe
5116	WerFault.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
3888	svchost.exe
3888	svchost.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
2748	wlrmdr.exe
2748	wlrmdr.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe
4872	g2onoebe.tqz.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3584	9d08e5e62b409ef1ccd05c7996eb5432e4a36f55642cb7441d153909e823f144.exe
Token: SeDebugPrivilege	4872	g2onoebe.tqz.exe
Token: SeShutdownPrivilege	3124	MusNotification.exe
Token: SeCreatePagefilePrivilege	3124	MusNotification.exe
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2292	svchost.exe
Token: SeIncreaseQuotaPrivilege	2292	svchost.exe
Token: SeSecurityPrivilege	2292	svchost.exe
Token: SeTakeOwnershipPrivilege	2292	svchost.exe
Token: SeLoadDriverPrivilege	2292	svchost.exe
Token: SeSystemtimePrivilege	2292	svchost.exe
Token: SeBackupPrivilege	2292	svchost.exe
Token: SeRestorePrivilege	2292	svchost.exe
Token: SeShutdownPrivilege	2292	svchost.exe
Token: SeSystemEnvironmentPrivilege	2292	svchost.exe
Token: SeUndockPrivilege	2292	svchost.exe
Token: SeManageVolumePrivilege	2292	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2292	svchost.exe
Token: SeIncreaseQuotaPrivilege	2292	svchost.exe
Token: SeSecurityPrivilege	2292	svchost.exe
Token: SeTakeOwnershipPrivilege	2292	svchost.exe
Token: SeLoadDriverPrivilege	2292	svchost.exe
Token: SeSystemtimePrivilege	2292	svchost.exe
Token: SeBackupPrivilege	2292	svchost.exe
Token: SeRestorePrivilege	2292	svchost.exe
Token: SeShutdownPrivilege	2292	svchost.exe
Token: SeSystemEnvironmentPrivilege	2292	svchost.exe
Token: SeUndockPrivilege	2292	svchost.exe
Token: SeManageVolumePrivilege	2292	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2292	svchost.exe
Token: SeIncreaseQuotaPrivilege	2292	svchost.exe
Token: SeSecurityPrivilege	2292	svchost.exe
Token: SeTakeOwnershipPrivilege	2292	svchost.exe
Token: SeLoadDriverPrivilege	2292	svchost.exe
Token: SeSystemtimePrivilege	2292	svchost.exe
Token: SeBackupPrivilege	2292	svchost.exe
Token: SeRestorePrivilege	2292	svchost.exe
Token: SeShutdownPrivilege	2292	svchost.exe
Token: SeSystemEnvironmentPrivilege	2292	svchost.exe
Token: SeUndockPrivilege	2292	svchost.exe
Token: SeManageVolumePrivilege	2292	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2292	svchost.exe
Token: SeIncreaseQuotaPrivilege	2292	svchost.exe
Token: SeSecurityPrivilege	2292	svchost.exe
Token: SeTakeOwnershipPrivilege	2292	svchost.exe
Token: SeLoadDriverPrivilege	2292	svchost.exe
Token: SeSystemtimePrivilege	2292	svchost.exe
Token: SeBackupPrivilege	2292	svchost.exe
Token: SeRestorePrivilege	2292	svchost.exe
Token: SeShutdownPrivilege	2292	svchost.exe
Token: SeSystemEnvironmentPrivilege	2292	svchost.exe
Token: SeUndockPrivilege	2292	svchost.exe
Token: SeManageVolumePrivilege	2292	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2292	svchost.exe
Token: SeIncreaseQuotaPrivilege	2292	svchost.exe
Token: SeSecurityPrivilege	2292	svchost.exe
Token: SeTakeOwnershipPrivilege	2292	svchost.exe
Token: SeLoadDriverPrivilege	2292	svchost.exe
Token: SeSystemtimePrivilege	2292	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2748	wlrmdr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 4872	3584	9d08e5e62b409ef1ccd05c7996eb5432e4a36f55642cb7441d153909e823f144.exe	86
PID 3584 wrote to memory of 4872	3584	9d08e5e62b409ef1ccd05c7996eb5432e4a36f55642cb7441d153909e823f144.exe	86
PID 3584 wrote to memory of 3756	3584	9d08e5e62b409ef1ccd05c7996eb5432e4a36f55642cb7441d153909e823f144.exe	87
PID 3584 wrote to memory of 3756	3584	9d08e5e62b409ef1ccd05c7996eb5432e4a36f55642cb7441d153909e823f144.exe	87
PID 4872 wrote to memory of 616	4872	g2onoebe.tqz.exe	5
PID 4872 wrote to memory of 664	4872	g2onoebe.tqz.exe	7
PID 4872 wrote to memory of 960	4872	g2onoebe.tqz.exe	12
PID 4872 wrote to memory of 336	4872	g2onoebe.tqz.exe	13
PID 4872 wrote to memory of 740	4872	g2onoebe.tqz.exe	14
PID 4872 wrote to memory of 1020	4872	g2onoebe.tqz.exe	15
PID 4872 wrote to memory of 1128	4872	g2onoebe.tqz.exe	17
PID 4872 wrote to memory of 1136	4872	g2onoebe.tqz.exe	18
PID 4872 wrote to memory of 1144	4872	g2onoebe.tqz.exe	19
PID 4872 wrote to memory of 1212	4872	g2onoebe.tqz.exe	20
PID 4872 wrote to memory of 1224	4872	g2onoebe.tqz.exe	21
PID 4872 wrote to memory of 1252	4872	g2onoebe.tqz.exe	22
PID 4872 wrote to memory of 1304	4872	g2onoebe.tqz.exe	23
PID 4872 wrote to memory of 1392	4872	g2onoebe.tqz.exe	24
PID 4872 wrote to memory of 1444	4872	g2onoebe.tqz.exe	25
PID 4872 wrote to memory of 1548	4872	g2onoebe.tqz.exe	26
PID 4872 wrote to memory of 1556	4872	g2onoebe.tqz.exe	27
PID 4872 wrote to memory of 1660	4872	g2onoebe.tqz.exe	28
PID 4872 wrote to memory of 1672	4872	g2onoebe.tqz.exe	29
PID 4872 wrote to memory of 1716	4872	g2onoebe.tqz.exe	30
PID 4872 wrote to memory of 1752	4872	g2onoebe.tqz.exe	31
PID 4872 wrote to memory of 1800	4872	g2onoebe.tqz.exe	32
PID 4872 wrote to memory of 1868	4872	g2onoebe.tqz.exe	33
PID 4872 wrote to memory of 1880	4872	g2onoebe.tqz.exe	34
PID 4872 wrote to memory of 1948	4872	g2onoebe.tqz.exe	35
PID 4872 wrote to memory of 1964	4872	g2onoebe.tqz.exe	36
PID 4872 wrote to memory of 1012	4872	g2onoebe.tqz.exe	37
PID 4872 wrote to memory of 2088	4872	g2onoebe.tqz.exe	39
PID 4872 wrote to memory of 2248	4872	g2onoebe.tqz.exe	40
PID 4872 wrote to memory of 2292	4872	g2onoebe.tqz.exe	41
PID 4872 wrote to memory of 2388	4872	g2onoebe.tqz.exe	42
PID 4872 wrote to memory of 2396	4872	g2onoebe.tqz.exe	43
PID 4872 wrote to memory of 2464	4872	g2onoebe.tqz.exe	44
PID 4872 wrote to memory of 2504	4872	g2onoebe.tqz.exe	45
PID 4872 wrote to memory of 2556	4872	g2onoebe.tqz.exe	46
PID 4872 wrote to memory of 2572	4872	g2onoebe.tqz.exe	47
PID 4872 wrote to memory of 2580	4872	g2onoebe.tqz.exe	48
PID 4872 wrote to memory of 2928	4872	g2onoebe.tqz.exe	49
PID 4872 wrote to memory of 2940	4872	g2onoebe.tqz.exe	50
PID 4872 wrote to memory of 2952	4872	g2onoebe.tqz.exe	51
PID 4872 wrote to memory of 2548	4872	g2onoebe.tqz.exe	53
PID 4872 wrote to memory of 2596	4872	g2onoebe.tqz.exe	54
PID 4872 wrote to memory of 3292	4872	g2onoebe.tqz.exe	55
PID 4872 wrote to memory of 3372	4872	g2onoebe.tqz.exe	56
PID 4872 wrote to memory of 3556	4872	g2onoebe.tqz.exe	57
PID 4872 wrote to memory of 3736	4872	g2onoebe.tqz.exe	58
PID 4872 wrote to memory of 3904	4872	g2onoebe.tqz.exe	60
PID 4872 wrote to memory of 4172	4872	g2onoebe.tqz.exe	62
PID 4872 wrote to memory of 5112	4872	g2onoebe.tqz.exe	65
PID 4872 wrote to memory of 1032	4872	g2onoebe.tqz.exe	67
PID 4872 wrote to memory of 2124	4872	g2onoebe.tqz.exe	68
PID 4872 wrote to memory of 4664	4872	g2onoebe.tqz.exe	69
PID 4872 wrote to memory of 2600	4872	g2onoebe.tqz.exe	70
PID 4872 wrote to memory of 3344	4872	g2onoebe.tqz.exe	71
PID 4872 wrote to memory of 4964	4872	g2onoebe.tqz.exe	72
PID 4872 wrote to memory of 972	4872	g2onoebe.tqz.exe	73
PID 4872 wrote to memory of 4208	4872	g2onoebe.tqz.exe	74
PID 4872 wrote to memory of 2068	4872	g2onoebe.tqz.exe	76
PID 4872 wrote to memory of 1972	4872	g2onoebe.tqz.exe	77
PID 4872 wrote to memory of 4636	4872	g2onoebe.tqz.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:336
- C:\Windows\system32\wlrmdr.exe
  -s -1 -f 2 -t Your PC will automatically restart in one minute -m Windows ran into a problem and needs to restart. You should close this message now and save your work. -a 3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2748

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:664
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 664 -s 4220
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1128
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2548
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1392
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1964

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2504

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2580

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3292

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3372
- C:\Users\Admin\AppData\Local\Temp\9d08e5e62b409ef1ccd05c7996eb5432e4a36f55642cb7441d153909e823f144.exe
  "C:\Users\Admin\AppData\Local\Temp\9d08e5e62b409ef1ccd05c7996eb5432e4a36f55642cb7441d153909e823f144.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\g2onoebe.tqz.exe
    "C:\Users\Admin\AppData\Local\Temp\g2onoebe.tqz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4872
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "Mason9d08e5e62b409ef1ccd05c7996eb5432e4a36f55642cb7441d153909e823f144.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\9d08e5e62b409ef1ccd05c7996eb5432e4a36f55642cb7441d153909e823f144.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3756
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "Mason9d08e5e62b409ef1ccd05c7996eb5432e4a36f55642cb7441d153909e823f144.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\9d08e5e62b409ef1ccd05c7996eb5432e4a36f55642cb7441d153909e823f144.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3556

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3736

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3904

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:5112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2600

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3344

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:972

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2068

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1972

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:3888
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 476 -p 664 -ip 664
  2⤵
  PID:4436

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery