32ea7d3ceea4b73b2a98ef55aebc41581fdfad995fe9d9cc2411dedc1806f28a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Control Panel\International\Geo\Nation	y0eystlw.kme.exe

Executes dropped EXE 1 IoCs

pid	Process
5232	y0eystlw.kme.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\D:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	api.ipify.org

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to get system information.

execution

PowerShell

T1059.001

pid	Process
5756	powershell.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5232 set thread context of 3784	5232	y0eystlw.kme.exe	83

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000a83f114a8ca28f4c93bfff7b95686ed8000000000200000000001066000000010000200000001f767ddb476011a4ea9fe9ade8f3120b6902ff8e47f64d9444a8f361a9518f6f000000000e8000000002000020000000ade0c58ca23bfb6ab92c800f0b0be808f171cb6a4ca2e26547b7b3e3d072388c10060000df4bb0f233584eae1af3b9f5de5b2bb2f6c5aa75c9ccace40fd6e30c198b6cbdb4f80cd6d8c645c8138f02b24857304498f7d748933899c748fbed4151dbcb4aff87653b5ce4364c136731f7711b9cf4fe1ad5cf298c5453a11857e0fc7626d2d8022fc88bcf4a883d4649f81c291d22fea36d2a31c20982572a07da45fca01a38933481183c7f7a3ab363ebb501ef448eafdac8ba44e0d2313d61510e133cf4fb328c945a912d207c127618e7da515b13cf06b357eca9f8f1eb5ddb09afe485542eacd48e4c79952ba0a2e2378265fa1353f5ee780faff215f3fac570bc5c0a51fdaf9521b2ef19e5b2f118f448515220340860f2b4e609ddaad0d100423f9a4cf541488eb43ed5f9a01cfdf1ea44ff80fb36a99ccc3bbbca1716c4979f22e40b11043e553c48c32a4c1e964ee67e5c4e78f9055c021afd96ad6711874cb03b1d39afac53748b72858d10177dadc166733789f98070f7e4673a9102fd3d060574469db20bc640909f2eda47c23c72f1c022affc9ec5acdfdf48e75134ba638d55b91320eab723d075055724646712ec63dcf1a53b8c0f0fef7f1604de880796f7cbc3aba1253e0a1def049151fab18ce4775867e0b45c71dca8b17a3c48cb37368ec4f1d9f12881c03c2c91f8862e5b978e103040f2bde0293e74f61cf3f15ef9d0ce8f82bd8dd593a9cf26f50293b0211abae7564b5c900c3ec696a07ee37c6aa23113e1ee50153d42bcd1fbec6d410b8c9c54a011b71bf0966b609b579283b365f820afe95eaa42106739967e0335e8003989607abe3c339a0b16909d8f0c4b15b9e73804444a272346da5de86d0524d4e6d12ef2595c92bfd46456f3bb54d85c41480032e2f56c89d32b5fbf6e7910c11128ee924807fdf14d349c466e0f53d85325c7d336488aa2b5379761e818d3bc07ad6ca8dd932f80675a7f5d20c529790edab778926153fcf3a3fd0ed362df47d1bf11978583edcfa97ee2fac59525cfb5df9773cc8fbab2466c502f982e0230a025596d1ae51da06a177c6b73e2bae2bc5a783ef628ae349dbb67764d2891f10e7cd42e0794b16e0f3d7a7d34cd60bcc57c3eb7114e7429b8308b463200712c0f9bc8137d61e3d78ce74702f1db14dde4f4e4387cca885d90fbb4c21288fa53c622a23c6d6bad2e1e8d980ef87a713c5ebbfd76885f3a3858ee48c4fb02ac741576166427b787431e0c11b77ac75fbf5fe646dd25ac0e313f76bce8eda0e0667e0fafc3a4874bc70354b2f2f1c300453c73cb3e57a0fb1842233f98ebdb82e77a2bf773696dfe110161c0875b38e920b37329626b237916a1d049cf123e4eabf2a2302eb517015ae56bd36f5f4ef783b3d783c97cd9a5b88d646895a00b7acda753cdca80ac80aecb581e95d0fa240c3e6c66f5601ab4995f0657d82945838545e0d05777f117d57b873daff220abb5352b5550d55a4dbddd2a1edba2cbc0e9970c06c7ad74380770c206156617eebfa4fa07cc12fdb55ad344465f2d2bb35718a339a6a72104caafcb7ca470ed2cd3b3f2b67122e885aa2252f6496384748903d585b7ee705a9a3d51c64eb4142623106af229ca04bc6a07251d4f710afc2b75fa4b2399f19b8811698f65b069f3c568b3246515fb0cdf604d24f1a955f0b4cd0e4793ea1803af57b01e784e2e2edc0265570f2cede00deea36194d98e4dfb3d36bf3766b4728fd5ae3adcb5dd57d3532aeb64bb8d8a4bb54f25decee12ed2f01521d3009f712a8a1ec43df82fbaa3e53088b9e2065f0a087c1a7d1371059b50179b23175a063e7892e187f2f0914a1198c837c87799c96c42acd16f760c07c28e50f0b83842729fea448ee42d72eae9c74acdf0b984d115efe3a60d9c438269305e5748847968b8a5af3653447dfa3af4399eb13aadc6c23ec792d16a4f3366fb70385e8dae242b138ba2beb1ecc8ac1fd1459a4a364145d129b50022feec3e5e8f3d9a8e61d2535258139fd6878f4bb3717160b8dc6e8069c38564a400e5002c268d003f562f1adceb8cf0cf0f386cd0f9420303bc7d71ef50355ea752bc7b3ad79963ecf0b90a546b3624e0f9b441ae4cb1129cea0f5cb6775638b2953539bd340874ca2b27509cb17441ee00d1982b7fa8196723436c57950e582a6f0de7e62156c3fba47fe0378c36e406e81aa1b310b2461502b65a4f7c2f9bf8400000008b9fbbd19b01371847bc585d4b76e7e61d92b7ae8a9be28511422b1c3fbe29c720d552e908458dc62d614802158d7087542a1cbbe9d8279a5dab8015107f45f0	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "00180013CFF2160E"	mousocoreworker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00180013CFF2160E"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\00180013CFF2160E = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000a83f114a8ca28f4c93bfff7b95686ed8000000000200000000001066000000010000200000002ce6337be8c29bfd01b5a83bc39c0efefd372568724ce553f2a8a6ab798ef6fb000000000e80000000020000200000003622b77d6e21257bab2f09eac7e55caed7bf8387c427137fa760bc967743defa80000000aa69433be5e7a5d541e2fec5cfbbaf57a65d9a90e4e3f697b480920d1bdc5e330a7fd6fa8b3bafd2dfc2c8fd3cb3576f8b74140ab0b5507d71b451e3c1091143a53ff33100690a5c842afdf6c9b47dda58af6ef514347e5f7d3956076c26402d2a56b691a10a280c835c71cedc9a51194239b78e9f74bc8e6ee4c109e21c2c9e400000002d41c46612fca0e1c89bc17ab9da246b3b00d0c8a9caa65a84ed4118808df66bdfe51dd655b0da774e2a3775f562219d15019e525f7bf5c53334944020e3ef2e	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings	calc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5844	SCHTASKS.exe
5936	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5232	y0eystlw.kme.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
5756	powershell.exe
5756	powershell.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
5756	powershell.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
5640	powershell.exe
3784	dllhost.exe
3784	dllhost.exe
5640	powershell.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
640	powershell.exe
640	powershell.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
1432	powershell.exe
3784	dllhost.exe
3784	dllhost.exe
1432	powershell.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe
3784	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3644	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5232	y0eystlw.kme.exe
Token: SeDebugPrivilege	5232	y0eystlw.kme.exe
Token: SeDebugPrivilege	3784	dllhost.exe
Token: SeDebugPrivilege	5756	powershell.exe
Token: SeIncreaseQuotaPrivilege	5756	powershell.exe
Token: SeSecurityPrivilege	5756	powershell.exe
Token: SeTakeOwnershipPrivilege	5756	powershell.exe
Token: SeLoadDriverPrivilege	5756	powershell.exe
Token: SeSystemProfilePrivilege	5756	powershell.exe
Token: SeSystemtimePrivilege	5756	powershell.exe
Token: SeProfSingleProcessPrivilege	5756	powershell.exe
Token: SeIncBasePriorityPrivilege	5756	powershell.exe
Token: SeCreatePagefilePrivilege	5756	powershell.exe
Token: SeBackupPrivilege	5756	powershell.exe
Token: SeRestorePrivilege	5756	powershell.exe
Token: SeShutdownPrivilege	5756	powershell.exe
Token: SeDebugPrivilege	5756	powershell.exe
Token: SeSystemEnvironmentPrivilege	5756	powershell.exe
Token: SeRemoteShutdownPrivilege	5756	powershell.exe
Token: SeUndockPrivilege	5756	powershell.exe
Token: SeManageVolumePrivilege	5756	powershell.exe
Token: 33	5756	powershell.exe
Token: 34	5756	powershell.exe
Token: 35	5756	powershell.exe
Token: 36	5756	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2236	svchost.exe
Token: SeIncreaseQuotaPrivilege	2236	svchost.exe
Token: SeSecurityPrivilege	2236	svchost.exe
Token: SeTakeOwnershipPrivilege	2236	svchost.exe
Token: SeLoadDriverPrivilege	2236	svchost.exe
Token: SeSystemtimePrivilege	2236	svchost.exe
Token: SeBackupPrivilege	2236	svchost.exe
Token: SeRestorePrivilege	2236	svchost.exe
Token: SeShutdownPrivilege	2236	svchost.exe
Token: SeSystemEnvironmentPrivilege	2236	svchost.exe
Token: SeUndockPrivilege	2236	svchost.exe
Token: SeManageVolumePrivilege	2236	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2236	svchost.exe
Token: SeIncreaseQuotaPrivilege	2236	svchost.exe
Token: SeSecurityPrivilege	2236	svchost.exe
Token: SeTakeOwnershipPrivilege	2236	svchost.exe
Token: SeLoadDriverPrivilege	2236	svchost.exe
Token: SeSystemtimePrivilege	2236	svchost.exe
Token: SeBackupPrivilege	2236	svchost.exe
Token: SeRestorePrivilege	2236	svchost.exe
Token: SeShutdownPrivilege	2236	svchost.exe
Token: SeSystemEnvironmentPrivilege	2236	svchost.exe
Token: SeUndockPrivilege	2236	svchost.exe
Token: SeManageVolumePrivilege	2236	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2236	svchost.exe
Token: SeIncreaseQuotaPrivilege	2236	svchost.exe
Token: SeSecurityPrivilege	2236	svchost.exe
Token: SeTakeOwnershipPrivilege	2236	svchost.exe
Token: SeLoadDriverPrivilege	2236	svchost.exe
Token: SeSystemtimePrivilege	2236	svchost.exe
Token: SeBackupPrivilege	2236	svchost.exe
Token: SeRestorePrivilege	2236	svchost.exe
Token: SeShutdownPrivilege	2236	svchost.exe
Token: SeSystemEnvironmentPrivilege	2236	svchost.exe
Token: SeUndockPrivilege	2236	svchost.exe
Token: SeManageVolumePrivilege	2236	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2236	svchost.exe
Token: SeIncreaseQuotaPrivilege	2236	svchost.exe
Token: SeSecurityPrivilege	2236	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5332 wrote to memory of 5232	5332	loader.exe	82
PID 5332 wrote to memory of 5232	5332	loader.exe	82
PID 5232 wrote to memory of 3784	5232	y0eystlw.kme.exe	83
PID 5232 wrote to memory of 3784	5232	y0eystlw.kme.exe	83
PID 5232 wrote to memory of 3784	5232	y0eystlw.kme.exe	83
PID 5232 wrote to memory of 3784	5232	y0eystlw.kme.exe	83
PID 5232 wrote to memory of 3784	5232	y0eystlw.kme.exe	83
PID 5232 wrote to memory of 3784	5232	y0eystlw.kme.exe	83
PID 5232 wrote to memory of 3784	5232	y0eystlw.kme.exe	83
PID 5232 wrote to memory of 3784	5232	y0eystlw.kme.exe	83
PID 5232 wrote to memory of 3784	5232	y0eystlw.kme.exe	83
PID 5232 wrote to memory of 3784	5232	y0eystlw.kme.exe	83
PID 5232 wrote to memory of 3784	5232	y0eystlw.kme.exe	83
PID 5232 wrote to memory of 5844	5232	y0eystlw.kme.exe	84
PID 5232 wrote to memory of 5844	5232	y0eystlw.kme.exe	84
PID 5232 wrote to memory of 5936	5232	y0eystlw.kme.exe	85
PID 5232 wrote to memory of 5936	5232	y0eystlw.kme.exe	85
PID 5232 wrote to memory of 5756	5232	y0eystlw.kme.exe	86
PID 5232 wrote to memory of 5756	5232	y0eystlw.kme.exe	86
PID 3784 wrote to memory of 628	3784	dllhost.exe	5
PID 3784 wrote to memory of 680	3784	dllhost.exe	7
PID 3784 wrote to memory of 964	3784	dllhost.exe	12
PID 3784 wrote to memory of 476	3784	dllhost.exe	13
PID 3784 wrote to memory of 520	3784	dllhost.exe	14
PID 3784 wrote to memory of 700	3784	dllhost.exe	15
PID 3784 wrote to memory of 1048	3784	dllhost.exe	16
PID 3784 wrote to memory of 1072	3784	dllhost.exe	17
PID 3784 wrote to memory of 1124	3784	dllhost.exe	18
PID 3784 wrote to memory of 1232	3784	dllhost.exe	19
PID 3784 wrote to memory of 1324	3784	dllhost.exe	21
PID 3784 wrote to memory of 1336	3784	dllhost.exe	22
PID 3784 wrote to memory of 1352	3784	dllhost.exe	23
PID 3784 wrote to memory of 1364	3784	dllhost.exe	24
PID 3784 wrote to memory of 1388	3784	dllhost.exe	25
PID 3784 wrote to memory of 1576	3784	dllhost.exe	26
PID 3784 wrote to memory of 1584	3784	dllhost.exe	27
PID 3784 wrote to memory of 1600	3784	dllhost.exe	28
PID 3784 wrote to memory of 1624	3784	dllhost.exe	29
PID 3784 wrote to memory of 1748	3784	dllhost.exe	30
PID 3784 wrote to memory of 1816	3784	dllhost.exe	31
PID 3784 wrote to memory of 1864	3784	dllhost.exe	32
PID 3784 wrote to memory of 1928	3784	dllhost.exe	33
PID 3784 wrote to memory of 1940	3784	dllhost.exe	34
PID 3784 wrote to memory of 1952	3784	dllhost.exe	35
PID 3784 wrote to memory of 2036	3784	dllhost.exe	36
PID 3784 wrote to memory of 1216	3784	dllhost.exe	37
PID 3784 wrote to memory of 2168	3784	dllhost.exe	38
PID 3784 wrote to memory of 2236	3784	dllhost.exe	39
PID 3784 wrote to memory of 2364	3784	dllhost.exe	41
PID 3784 wrote to memory of 2392	3784	dllhost.exe	42
PID 3784 wrote to memory of 2696	3784	dllhost.exe	44
PID 3784 wrote to memory of 2704	3784	dllhost.exe	45
PID 3784 wrote to memory of 2748	3784	dllhost.exe	46
PID 3784 wrote to memory of 2804	3784	dllhost.exe	47
PID 3784 wrote to memory of 2860	3784	dllhost.exe	48
PID 3784 wrote to memory of 2880	3784	dllhost.exe	49
PID 3784 wrote to memory of 2928	3784	dllhost.exe	50
PID 3784 wrote to memory of 2968	3784	dllhost.exe	51
PID 3784 wrote to memory of 2980	3784	dllhost.exe	52
PID 3784 wrote to memory of 2876	3784	dllhost.exe	53
PID 3784 wrote to memory of 3084	3784	dllhost.exe	54
PID 3784 wrote to memory of 3184	3784	dllhost.exe	55
PID 3784 wrote to memory of 3560	3784	dllhost.exe	56
PID 3784 wrote to memory of 3644	3784	dllhost.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1072
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{132e42e1-a78c-44f2-b4b4-67b4aa27e573}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3784

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1324
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1336

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1576
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1216

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2880

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3084

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3560

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3644
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5332
- - C:\Users\Admin\AppData\Roaming\y0eystlw.kme.exe
    "C:\Users\Admin\AppData\Roaming\y0eystlw.kme.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5232
  - - C:\Windows\SYSTEM32\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77y0eystlw.kme.exe" /tr "'C:\Users\Admin\AppData\Roaming\y0eystlw.kme.exe'" /sc onlogon /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5844
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4200
  - - C:\Windows\SYSTEM32\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77y0eystlw.kme.exe" /tr "'C:\Users\Admin\AppData\Roaming\y0eystlw.kme.exe'" /sc onlogon /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" (Get-CimInstance -ClassName Win32_ComputerSystem).TotalPhysicalMemory
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5756
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-WmiObject Win32_BIOS | Select-Object -ExpandProperty SMBIOSBIOSVersion
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5640
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-WmiObject Win32_PhysicalMemory | Select-Object -ExpandProperty Speed
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:640
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-WmiObject Win32_VideoController | Select-Object -ExpandProperty Name
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1432
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:856
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:1084
    - - C:\Windows\System32\win32calc.exe
        
        "C:\Windows\System32\win32calc.exe"
        5⤵
        
        PID:5800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3772

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4044

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3752

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:1104

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:5192

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4460

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1068

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2200

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:5888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2108

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Enumerates system info in registry
PID:1860

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe e9f32a8db49decb1b23c3c6ac620b838 O1AtRC8hVUKd4lOLc+39zQ.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:2276
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:4520

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4824

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery