discordrat | 5436af4185d5c05d8ec07213f940cb8a3506fa9a0621b45ebf38583e37165977

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77Discord rat.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Discord rat.exe"	Discord rat.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
19	discord.com
20	discord.com
26	discord.com
16	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	lsass.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Suspicious use of SetThreadContext 13 IoCs

description	pid	Process	procid_target
PID 2208 set thread context of 1068	2208	Discord rat.exe	82
PID 2208 set thread context of 3144	2208	Discord rat.exe	89
PID 2208 set thread context of 2900	2208	Discord rat.exe	95
PID 2208 set thread context of 3188	2208	Discord rat.exe	103
PID 2208 set thread context of 820	2208	Discord rat.exe	107
PID 2208 set thread context of 4620	2208	Discord rat.exe	117
PID 2208 set thread context of 3676	2208	Discord rat.exe	128
PID 2208 set thread context of 5572	2208	Discord rat.exe	135
PID 2208 set thread context of 3460	2208	Discord rat.exe	142
PID 2208 set thread context of 2520	2208	Discord rat.exe	146
PID 2208 set thread context of 1184	2208	Discord rat.exe	156
PID 2208 set thread context of 5576	2208	Discord rat.exe	164
PID 2208 set thread context of 812	2208	Discord rat.exe	174

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\EventCache.v2\{4E3A2C56-F6CF-44DC-94A9-BA869AC1A54A}.bin	svchost.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 39 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pbzbutmqjqjbtn	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3558294865-3673844354-2255444939-1000\02ftcycytozmiloi\DeviceId = "<Data><User username=\"02FTCYCYTOZMILOI\"><HardwareInfo BoundTime=\"1719771034\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\P3P = "CP=\"CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOCi CNT\""	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pbzbutmqjqjbtn\DeviceId = "<Data LastUpdatedTime=\"1719771029\"><User username=\"02PBZBUTMQJQJBTN\"><HardwareInfo BoundTime=\"1719771034\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "0018800F93212709"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\Data = "ct%3D1719771032%26hashalg%3DSHA256%26bver%3D24%26appid%3DDefault%26da%3D%253CEncryptedData%2520xmlns%253D%2522http://www.w3.org/2001/04/xmlenc%2523%2522%2520Id%253D%2522devicesoftware%2522%2520Type%253D%2522http://www.w3.org/2001/04/xmlenc%2523Element%2522%253E%253CEncryptionMethod%2520Algorithm%253D%2522http://www.w3.org/2001/04/xmlenc%2523tripledes-cbc%2522%253E%253C/EncryptionMethod%253E%253Cds:KeyInfo%2520xmlns:ds%253D%2522http://www.w3.org/2000/09/xmldsig%2523%2522%253E%253Cds:KeyName%253Ehttp://Passport.NET/STS%253C/ds:KeyName%253E%253C/ds:KeyInfo%253E%253CCipherData%253E%253CCipherValue%253EM.C539_BL2.0.D.Cvq5n4CP9qwW/Vhc8CgY69F83CAeXBauzeFYheoZrrYP3RPR/AKFv%252Bz7ynD%252BF3ync9ObjiyXinhgxphL0GxUDog7LHlYKgGIhrOS/AzDQo4waZGK85LUeyCUts4Qei6tAg2q0RK0bA%252BGF%252BokFnomq0I1FKjdXAus3UipQg4xljGRGijqCDXpQsbS6sLHB4k9CFaJ3VCXqPSGyHXISpirMDNje6WuxxBjcPv7oIwLehx3N%252Bjh4BO44DgeHR6/RYIWiqAXqD5aAhoS5Jv1h3HfvAe6VI7fUDT8USRBnxrfnLHfWFC/z5oGZHKpEkseENZbacqhoXgvNJZ33qLG7gLcFCuzxgEFeuLqSExdd5W2IGE%252Bgwz7Cpt%252BAcQ5lurdb%252BcNQW2378w6b5pY6HqvsvxNdAM942xm%252BoS6Ehtw7U91Hzt7g1Thv1TR9tQAGkwFUgRv4qH7k2j2cgH2Bt2iMfbrMmhtSW7a9f29RNzlMvD8TfkN37RYRyte1P0EYtPoEXVFl/4XCY/SqrBDiZuxbdSPuoE%253D%253C/CipherValue%253E%253C/CipherData%253E%253C/EncryptedData%253E%26nonce%3D4Q9pd%252BCbEvEfTh476ILvG%252FY1v%252FEdhPzn%26hash%3Dq61ZzTuDMWbPHbGWRbLJJ3ZvDZC1QwKMvFL0JZ24qh0%253D%26dd%3D1; path=/; domain=login.live.com; secure; httponly"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02nkuaprocqgzdqg\Response Sunday, June 30, 2024 18:10:34 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAnjh7m3eA4kG9TS1QEyUaLwAAAAACAAAAAAAQZgAAAAEAACAAAAA12kLPX8Ty3FicZpRRVtoXXaO6oO97aqNnreMuUB2JwwAAAAAOgAAAAAIAACAAAAA7LrLyXPXcilAu0aWRgjywKDukJ8oQSj8pZ7jWCBDqvpAHAABn5pfR+3mgLpjvBpRDgEPSlf3+ktLQ8ThrCoeKT9Cg/sWD9bGdh6UZRGMd++cwlmI5YiQgmp/R/3u/lU6DHbk+mzkUti5xR+I1byoDVKFiBqCOLRo0+yQG29DzHDLAodcjr7irHDszb1Ol+WLEaMiSfWI/DaFHOYpUJbGAuDZ3bsCy2J+C14yr2b4yBDfPfkSTsJM2lmUaRdHkX6nbJLQ4kFmj6ujiCn4dAkW/z7vXZmbdttATzzyddzvt6Zc3ea9S/8Aej/iGBjlQNq1IPvLsYSmyBL76m39Avfn+DfInp8oIN0J8FvgfP3rzTYLDvQ1CVG46B8hNQCAZOqQbZOLL0IxRlelA96I/2HxVGsEwpHN944o993Dbe1L7onpGwvOSiCzgD+w/akcKdvPUZPPC4PTkcDTusInmNLx/DDSbA/L7PlgF3vYgNJf+WwEv/mBihl5zsHYD2CNW7sfkn/EAu8vTFAHNZpNuOKtpWSkfMgLtsRwXEsMflROzIt+jJ23A5qkQjXbZv0Yk04GZcpC3XGUmW0yyuHGrUVdgop8iTJAbb43387eCCKkn8+vrB26dhSJR6WYxrf/N6eqFInMD7e1wI3LaSx27SPlWX/ryhDh/Px7zy/FvaoIAUeXhfAu+rCFZHJ8vDw0UVDt8zMXwGWumoiJAy/Rt0CK6C4jrbgFRqCQd0zf+MVreELgiix6Ib+0lm8egKMFbPxaJoDDPZFKFhyzIr4v9n+J+JjidhJeEh4TA5Lz0p0hMhNmJGC5o155wfjY7nVTXY4cNoV41KLWLDYzSna/dRwNhfbRX44WtrAd7FcJN/pFDQqhnRMEe88AnYJdTMHhRjuTSKIsTtaT/TgkdtuFHbGEuVaIbl2gj1rDU/LHtdlP2c9X0GjYurMlOzGr4lDfYjsEE1tZ8si/NX5ZOe0oyvslTretTuQDFf7DBxtgoJ4spD0iEpWzoUCR3d+wCq2GJ3k5C/Ji/gpo3pKwTu4CQb0mTAUEjzMqVOLQ7Qulg19WcFYNWzVnvHi8tefcty+Tj5eaHiP0LviYsUXRTGUEZzmIbbwC0v6IpJ6wnjZ7FjHRvDAovZFOciYXUWpNxDsJNQAimWZKvPBdwbYnOBxZXlme+P5vOEe7jkrnYKHmfsfNZlxSyZ663mU28QpBdnvo8ulqQwK1/6TggQbpD2AeJ2Z08FYU5xoY7B8fPRXrP5e9LuEpDKtUJmSDelvJufNhS8pSlYcVNNro5rrdTOaaI/JGAoM9CgVjG0SOyRgBZrVikJzoPefWgH5Upppm5/RUWVBJL4XaUmUQDB2aWZygLiDsy6+h2bw508xT+P8QnPf/VYWTdvKMd9US7dGfrOVrJiayJeaxk4MAZMbiNNx3GUp2TLDM5YAgw+PJ/PBZ8P/6CmcmEPHv6uGBSWQEuhO2khp5We0KVbiIB/ceLJrxuuTqnKaHDF/GcmXcuTwJq/IpK5X7eqzktzbSivGCZRxcIzT0CMXpkz3/t8bgOZ5D4mVTpHD1rV4068mbmaqwEoje+oMsxDOP+n61ls0hBjUaAx7fhlonobwB4ZS//ffT4lENjINyShLWnf6g1MV6Zds/6tbFXAG4Ins5GcU5AEB43tBBbHk9E/aL0tEcwcgz3YZ7l+2rpMvBMHphzkHApMP8GSco5zsLJLspNreGaXISavg5b+Iouk1PDUMXJgQZKXaX6vIiRgGEhpr0u3MZeU04PonNNu1oNg80Sunv8o7a9UB6jtYy8tJaQ+XAEzeBLqRvGbpWjNdkfwC3YTLYYY372PfHHBrgXr9dz5ctRXm9vaLUNOKs/kneG84Jb/cDffiLk2BSCsaF4ziD7MuvBzPhTti3hriBojsREe69oAL/glFvTV+WAdb3JTlf4xAThTPUwr9M1J/4/bcdlNg+2O+WeDGI73YeiyLss5BlvPMTEzYjQmtZqSUhHOBKkza8OiSmagav4H4PfTVmMKqqFZAApd6v9GMsy761n4kXLI7b1P2ccIO+61mmFKrmBb9eBGmdoapT8EHXNxqYgZ+MvWDO2xOihY3I5lBZ3Ap/DDChgzzaystDrn58LtTUKkOZHTE0I+gK4d0p1tUQ1Hefv2rX3d3/9qL8YBL6gA4/QEoOx821iH8LYmNIpkBGnwbSRHM1YiUGVrjC2pI7qCWTPyOjtHCqzwreSIhxI/fLR1sbfDVfd3GbDvXHhXfUuDm9Jytn4QWTL+iDXr8saj6hWy9gt4mqi2xtC7i0mxViezgCQFFT1vp+GTl5nU+0AGT2yo3wx721/u9oxnWxdXfK7fHD1+IhVPlR7AV8L0Kdq+C7Wleg9RGa/WTMoSkShJMWN3FcmlVTipCaY+euyf7X8+x/aLxtuUOeZ/R5Mjy8OthcRhwQqQCY6xOHn96Gb2ljxlZ5waabvmysuaFFXGrhflEBXWUVkDuCMNlXvFUjt73eCH10vnTfKEFqwMjJfQL9HsUGkL8oGW25ZyamqbSAexA/D3TTYfx2Bs3uuuf+PrQB0WdQjaVVmQBh8N/1tzBOUswb6+KRK7w/JP3fH6owf1j3R5hpG8kfUSJ1P+ey5i9dMl35EohUNQAAAAP4hLX/mJWrnji4UnQk9g6VL+PDvJZr3qGng+jJII+ZTSzJP5GnoWWuHsGHimf25NJVZcgOwhwtNZ6hSE69VR4g="	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3558294865-3673844354-2255444939-1000\02nkuaprocqgzdqg\Reason = "2147780641"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02pbzbutmqjqjbtn	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018800F93212709 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000bafa4e1cec2ead41a6ab3c1b458ef402000000000200000000001066000000010000200000008f1d77cbfd503a26bb55a1bc9fdfdf5f8e164eddc1126efb11ce1fa5d8e8d730000000000e8000000002000020000000fa68a9aa90d744488acfa5715d352b70f2fca64e9fe984c3215cda628886d51480000000c691d1cb155e7a2799c22e1dc433e905b8e30d869bb245b728c1194d5165828fe2f9c98a25d0c50bd8257d0edddc690bc6fbc7a6053283e22bc7a492d7ddc8d66414e2e47d6fdde72aec9ae29c481706d423d593c2bf9590e78c8fd6da9b8753f87c0ee1a9cb4e9025447b0ab2a16e527bbe60db046b94a99798999225a01031400000000f4d09b240192bfdf321728d85f5e81993cf03e811313e70075f25f2b605100f60d09569398f5049a65c5ab43b178ec32e6ba638c05f6ea6a114288a2231c5c4	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pbzbutmqjqjbtn\DeviceId = "<Data LastUpdatedTime=\"1719771029\"><User username=\"02PBZBUTMQJQJBTN\"><HardwareInfo BoundTime=\"1719771029\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\URL = "https://login.live.com"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\Name = "DIDC"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02nkuaprocqgzdqg\Request Sunday, June 30, 2024 18:10:34 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAnjh7m3eA4kG9TS1QEyUaLwAAAAACAAAAAAAQZgAAAAEAACAAAACDuvmO2sNbFNcscLyQu5hwX2JBxvj/bQP/gBtDtUvHdAAAAAAOgAAAAAIAACAAAAC5N15w/3edF45ZdDNZKnmRfwn2HEF6UbOfaK4xqCRvm7ASAABU2U7GcWbVP5BxIMl/ZIId7VTP4Qc5JetTpIKUaT18K3DFrJE3qCulOA/4I8dPxDSYQr80ItsG/HHs8ZLU3/zSPesL48PTFyUJ2fgVbzAdoCcicm0/Heq689o6+1qyPcOO1OPMmBGSpnEjPVF9oN23oUy3T3jW5b4SrJfHJmzHkamu1J/Iya6yQvJ/aMJ5k+puMQZtYcCR3zvMpcPa40zvMKJE080mozIHLCdNY/q+q616NaJSEezyZjKYiitu/JHH0hgBbNAbIhbbLKKR3TX0egO8ysrwu3YYSdbq4vsez3D7GUkphB3m3EqceNWt50L6idfMKnE9YOicFAY6cNnNLo9FPYmsNRiPmYeKqZCI3vgS4KO8Yt74kmKTGluqRbMsJRmPCwTd5fw5g1HKuJ1NFK1LG45gHSILl9hcdghSbFkfEIjd5j1n9vFwAeS4EnLhfi17VWQuYJUK23CFRp3e+v9icdexdZSKkVB75c8X2i0tnHyIQxcGnLlx9m7meKMB+LkO+kHmUTYs3Qu1VkPXkPv1ODE/2tN6x985QtlFL2frzhP4gKjvZFKGVR35vb893zOIZN8B+gc0Am1Xw2A+kBUVoXdy6KMj2afkoWoo7NolUKxHITCLaC7N/pHrjGJ998inL1O+p3llh3zOKt6Nwm2rzhVg8TPQlWzXS5MpfjGVWTUrkSkL/2ey9pFsfR2oLTCGQYPTfyHVHPUhLfVi54kJAOX7iNS82Ih7VZTENqHDeiBjcbmZedAJOVncnyojLuGX/saWV7kkh17qNU2b+uPok8xVMF47dBd+j8Ex1wTO2mFNUol3kYAhgM0VgJW+S3T+yRIZYwq4/oPke688zex4azur/OLdbptKcxj3gX5SDtuFCsnTQCFJ8KGIRlA9A9SFA7aaH0OA1RKTNOqfql24twTnoxB1K9ZtudFegjoTv1RHAuWtZwVaT8eyE8+tK3Kjf/1xKWaOiI4AiYXGaMDvyyTrNMhMa1j09K06laaegj365z8EoVDah5slMe628vg7OhNG6v+dtgLRigDVjPQDveCixA1bVNbXExZ/z30+hLKsAYE+l+fGoFL7gEqb+QrIHMkXxk/xu7bkOzhqrAwrn2ID3Pi0gZwElyvticHnFd5HmWqSha7IUtVlAXz6LazZkPQiQKZVIjuSa+Aj2MsItzFg9DptKTXN92DMi+Si6RpBUxXjetgsjk1Hr6IWcj0Q/NiIJHjERN7Ziqufj25A9m18tMeVUWm9MHplQ+Dm85UONIAruV/ftyDVr05BsKZAs65KymeKZUjHoJ0fw5V07FRdtnypxRldxg8hpUt9L6RPRsqpJRpc0NOTSj1dsL0Yq+zavYomEPMrpSPJBoDeNneobsyAt6qXnydCdJ9QbzNj6wKPLdWE7rsKmHor0HYI1jThDf2AGOKlKE2gPuMnxGq4yxI9/gsws02EnaYNLVBsmitqKdhTFeyNNYIHG45HiT5aJHHMw7tv4Bs+TIBQ07ppxBESyCSFLCPv2YHZV39tYATTK9Y2pvvN1bxmHw/W94PRRKJGzQUxNFxGDfV6MlrZk8l9VzDaDlwyEoWtRsYV95czx1eYpfuPf8r0yl9Mv9uxmx4tkifjxkOsnfOP1j2Xz5L8f5hk/WHRMVSq3Q8Ie9UY6zS43C2evr5XbLqJaeEjpFRft0ZTpb8KPX1Aj4XeUgac7umJa6T6U+zXqtyQNhFnc+2PuPTDJFZk9zcqRZNPkktD8yeRfJbdaK4FbTu5DllyoQ61KY8H0q39mmWlRvWQ3lQvye9EoMLAAZoLmC0PYZgckqLK8Db22CwFLQ/2SbpYcOCpCUnUP8HhO/iOsFgP0exiuh7mOLZIUSnMsfL7bsQJCKEY7mxDdTDlPqJIgLrJYvq37G3bRhyOKspHtJeHg5q+Xx+Q+gB5IYFBxI7HuNFyMMG08O92+ePLbZ+3KK55JWAwzHoEY6H6nET2j8tx14hHtm5RVnVTlME/ReFSH3qOtOgOCXSUK8frSqnDEDdhLAAOT0pdkNBQ7HRzIkT9XHyK7rWmRogqL+TIf0CK1JfBvTIs90YGo1zIF/fr0cZnerLgoCAEc2gm6pBJtiVPIx69ClShM1B3H/tyV8q3Xnbr83q/A2+FzP0Oe25zsI+BpECpM59NHT8vrI74eya/rD80t72XQo4UKU/pKWbHEChAh+1i/cYx0+f2BdCSrwiYwv3KsSrBnagbWrniT3n32qN5OBK7rra/RiPGHrbYjNL8n2WYjSvr5HUqLbRenOUkxho5kPCsWc4Y5L4SRstkAi1fsy6DKj/9yr43UteiFyToOsDmiu5TroILgCixU3+h2g+miO0k7tAN7N9voKiHI3y+44IYPsyOY9jgPPyT50gB9lsACculJx/ClsG+mUeVfHYD/gl4AYW+LO3nYrg8t0Yjn6yaVY8ItmuLJ6/Uz3zFORPs0OuUXSYmr78pkK25P31i3n6PKBMqXINv5/LPhC+eonqkkZwmBzyQJxUaby88tnO6yq2n9GPwkO3AFhbaIv6qYBQ4NtRD5WK2ueqUFmPdgfhQ5YpwS42u9o7DQH6yd+hMmQcw9SftApHp+lxJABMT7lGv6gYeTXJiUH/N0+xJhRTzj8HlWRr+Oz/eQa3P20csTR7HocCJGe7Z8beqzNyFwv1sXwiiErKhAvRO/odqH15EjWaPZLdQM8Fwut1LcoLP4XIjGvmHev7EVVEMunKKtjxKwJhfeP2S8StQPUho8aNAX6BH/XWSFaxzLx4LncE57ZQ531O9M5jRhQswIW7AFVY3LFceyVvcq4qCpm439DTwyKPIcXK/fqb63lYU8CGzLzKf7iauVoWcW5ZlhHSK6ey2hbYCKSyzv8QBGxpfz5AsCYNnrAH1k3wyMCdDz+xNI2vOVARrOFnQEeuAw9P7RQvnbZ31kA7qziRkYkIXJ6FdwbTEj7+vWIqgkDMWVXea7LjFSzzLruVrwxhBmqRIMqCK39XRT/mTyq20uneGd4eC/K7ERPOSf77Zoa1XUG8TJEJ6L1zdqWG8vseRFsyKLTW9toXS8jcgjq+id6xhC2iSjJ6IQ1dX7IbaPCZp5W1OBaH4c+Qg7Yx0y4gFBJXzZkzDMltH/vOTkCAOOiY9kh0NDQxDZ6aEE+7EPa0eARp419orZv37cX/pqYl0xyNYIlMwF8ijyUYJjsK+CnSeY1rIj0swMIwiIUyfjAPAs0r/bDCMA3XuPb9GlOSnzA5PEki6KU78pn2yadTVyCjE6NCmV71r7czJVdw1oGTMlG0g8p0E3rQwQKVbn7+BrpBtFd7oicxS1u6CwCyurjqJPzJM84R+lXblAG7b4Yx321sOkTASntArKk6Ur4kGhfzspc7LXLAfNs1WJelGvtgtU5141Kh7jroRNT/TgzUYXvvYiJDzNZl+xN6y3Ar2RIzUEuUPz/7Rdh/IS5QQHwL11mwR0w/YMr7U3D7ya8lhMhRpLGoQ95RH16E05fAszJQbCO+gpW/16Yyx8Y4Fhht2zx5/sRXTEA9FsYpgFO7rlao8H2DfAKgi5GCKWG2HUwxr5dZ8Ht92V8PDTtPZ6gZI2HRkqz264GauE/hZ4wChOnaMDECCMv9m2agI3UGLEpPyZubFtB8j2ZvCZ9P+ngs8MlvmLxq4Ngob2pjDJYHiexatOqZTDAxTE/i6rUhGWzLg+ifA0fqeTHgMwsu+XJmHUyxwU9D14eD78oFeKXN+i/puQxPN7XWOt+burBShwW+vIw8Su8CNeCqL7juBFVJq7+VCOGV+UG0lcn6JoDk8Uo/gJ8J8uVZTvkzMzfmGLeNTsXWTyiMR/RXPrzNdebg19uDpfOThTRreGrAvlpFwfAJArGCpwX5C91CPOrMVC3ZJuEJMdPxPCUwTIFkkfS8AejBYCXSv59FAIY9C1Gcapd8FqJELcmbY0JMQUgIsQJgcgq8+3YQ3IbXQg35vjhm4k2cps5KJDAVAFiZdqCXBSxpCRdjq6s6KrFt06xBYAfSSQgB+oEZuiWrK2dsO3uTJgaK0e/dvbb9+HjxCJwJhfDZSh9bJaMwyoxQaoN1rlijcuGjCROq1HCq7wfs3U3KyNTaOpHsk/up0veV420n+G6tYIm0Vph0FCIw4DL1Se6mT3Ukz79KFvME3TGEUTdwiC7v0RojM8UUcb5UYqM9a5u/m03dAG4XJken97lvZp6YHcLIL6c8dHaplJLaAIC4xeKRy+my6G1uLaL1pG/ait3fKFPV/Qa6pyumnUdzXn7rgT9cpntPCktJCqWRG4jj2z7tmlW/Qt800sbRMIXm6qjaqgDLjX7wXC4gxbJG+0lT5JQsh2fDpH0fn0aiyKlnty7acfRE2d0sBIMpHWTmVEUaWUmZfLBryEov+mAvLVx2NOZOZCKaf7zVnVzBiNV/jnbFnHFYOALMyfMCNb2rqkq60RyGPASnGauqkRf36iE5ZTAmz5hV2dMOTLxLktNpG1HGNKyE8JhXYDfs3s0iM/xsMo5RrbDKhxrwYfOcKK4FiNaXqogJB79SVPqTHYZQrvpUnFBsj/PSvZcv1r+3tndt2+4Y9/tohv1uYWx+dNpFFX6gTiyHI0bd4uy8i4LnSdn9rcUF9+6qrqosDEvW4y2cNOD6pOQArYDCeOIlhRhlUQmrs61WkW0+/JJJi6DGhsNiksmbxAsEKaVp3b/lW+VL5XcTSk70EvfCN7G8IpGms0UMglantelsENUwPBhN0fnNJ1VPTx4kxcnRn9l17fj3xF7xkK2reX4zQhmQ+Na+SbUX+yYdwMMnl3kI8tFoEygso7GtPgYb4LtK+NT+t+IGZIWYTm4DpAq62A+bhTYzmx1ZXOawPG6Y3XApYU3lM1YajRy9SMz2ubd/8rhzLadWCw3UXmlsU9Cqjmahmf/7RpIhHE9WlZkq/CFkgqHJdYioYpZ4/loyY64z7nk0YDf6K7D0speGX9jxpKk0ZCxvN+XkIeQ2hieteERJfrRcO71ALZjmH7rdcFfyYU9Hof0N+VTJUQF/FvWF79mVCWMaupXyX5bzLxXzgyl/PO95SNYhue5CVP2R+r9ZaCT/eGTERSTNMpziu742ypJ68W9JIWwrlArvpANvqDa7IKZpD+u/ODAkcPGPoEWcNKh2R40tG8t0AxyBb8jQNdw9UCSWYmpFR+qpylQlShsMlveyoNpNBrj2UGoYC4kZSmrub4frIoG1UwQ9uoxqO2ecr+uAuE7tQtYpTXsg5Pky0MRE2VNi5ANVynTcRNtx3dFELiLUNBxcUwqbIS4eo4pUn8nz3g1yS03MiIooywqe5ZIyjQ6pNlUWcOA5sbVdtGWAUbeylTsxf+cueORKn+UzFfW4lR8r1dcq6a4W+tGB8of5NiakBSg8X5FHtwCDAGKeTdSjWzG3xmnbN0mcNdioW8U/oTod9U0acBy6J2DuzNKR2kHgPmG5FrfmZPs+HVKEoZSRnJIXESxn0D0ddeoJaE/SMJbHWLQxxPphY/dztkoh9/ULO6oNoFzDUjucAXa03p969vaxSfbJ14nHhvLJ8968mD47m6H9ZJbH/t8aiDWfQ5pTZjKA1rrRq6pOPvVt05RZ/VapVK2MCBpsHcUAD/YsHIn4FY5K3Uj/LiktYBnrIFCdbB9vSyjnpo55OvjuL4teYk8VxNBcfdi+ot18faWoIGWxVmtgNp7T6xexMOHH3o935IY2AYkL60HPFOvZU7aNk0tNpiuacFFfOK23jE3y3xLaOncnWj8APNOfEL0kr3V+w96z89XA2icD5ewqieJ47QVd28hl6s4hdkWg0PMFtfuODsDRb4UqqtO98TTDcvpatnDJeiEE8/TpOv1XLfEQmqj1wFGTSKfz7S2gPkbTUOBwq5zp2gfhCxsiOs530g4Wv7VZLSd41eVpOH9/pOho/GNFaPK5WfgLvbfAycZIrhEShw1i8prRk7cgVKsMApSiAYAZtNqBqBSYGPPwmv4mXPSp238i2mOn3dWXwKCb3+oZgYFUridNO3ugW8c4rutsvD5CNrgA/+KGjGGbJt5h/Q691dx68BGHyjd548wqSNGNGoHG76PgKuVyGZIbmMdmxcktY1QIUccvWrzIlAHD/+ZAsKy/aoL31Sl+lxKsfnK+lF0UuudQwZEQTFxZvnyC5GU4twHh9zpH9KAqtd0sbJhQjFQ8ci0NTR5c6H27gA8IWprWf0PW9rQ5PhsTiyyiRRI9o6EWE72kME7hqzdsi/vUKbw5KVuCMX7/Pj9yDmnQr/sWzh1auq50JgFgIkHoL3mmyB6Adf+CKidJmZFqa67LQBtnKZYBXEA1Ts09TAGd5tCx+rfFcc3CyhcGxIrqLGdrFPMjx2NoiqtePKBI+R4IOcGPda0+YH2QPCBRt5/jbaUAAAABTK5YUJee9tvEQz1NXTJh1GG5m83ImnyiGhTtkTRuuwLNjjhtYPLVCxsrdw1ogaoyWjExHJLZxgSNNoR+eBWT8"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3558294865-3673844354-2255444939-1000\02ftcycytozmiloi	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02pbzbutmqjqjbtn\Provision Sunday, June 30, 2024 18:10:28 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAuvpOHOwurUGmqzwbRY70AgAAAAACAAAAAAAQZgAAAAEAACAAAAA1GmXmgJv06nlUK30eMjGBZXfOjrjvsmV8P5qyanzUiwAAAAAOgAAAAAIAACAAAADK2SIIbDJnBPa2/jn87gPoypBxI4fm7DLvTI/gamaNjCAAAADZ1dsrhYcIekLKS/hvBtKbNok6WXsRE9n7zx/2IAWxUEAAAACvusdp6D8JRJtuj6/OwXS2ErbOwnWkejADaqVhVgp9pG9jBktP/P+P6KtNLgBHxRnnXFu+5/lySJnzBF44Tjor"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pbzbutmqjqjbtn\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018800F93212709"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3558294865-3673844354-2255444939-1000\ValidDeviceId = "02ftcycytozmiloi"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3558294865-3673844354-2255444939-1000\02ftcycytozmiloi\DeviceId = "<Data><User username=\"02FTCYCYTOZMILOI\"><HardwareInfo BoundTime=\"1719771038\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pbzbutmqjqjbtn\DeviceId = "<Data LastUpdatedTime=\"1719771029\"><User username=\"02PBZBUTMQJQJBTN\"/></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3558294865-3673844354-2255444939-1000\ValidDeviceId	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3558294865-3673844354-2255444939-1000\02nkuaprocqgzdqg\AppIdList	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3558294865-3673844354-2255444939-1000\02ftcycytozmiloi\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1"	mousocoreworker.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000bafa4e1cec2ead41a6ab3c1b458ef40200000000020000000000106600000001000020000000baf771b078ffed68753ee5011144d3caa7631b18dafe415fca345be2390a7404000000000e80000000020000200000009e1892eaca5686206fcc638570fd4600423a2d013cda205968443be8c5d6bd3db0030000bfaecbcc4907e724e9a1925e7057a6e8d378765386754e18ccd3754b630c531826fd1aefd3775395979e6a09177ac1000dfd1d6a856fd83989a03ff3c5579060ea660ea036e5ab2fd7b0118b337854f96de8d229adc0fee476be4874311efdbbaed945e5e6f0896a6196bcc7daa4357f022639a9b62a9a336803228d0fde0128012c487b4832285186ff471bb674f975deefaa071410f90b59e969f2eed652ea6401e596e35e953eaf9b4bb05b9f0a5ea5b67dd652c661f5f4be66aed48304184325fc74a777a12fa593523fd559740414ab2c125914ba6655079af5879f5dfffe52eec105e5116c413cff34d259e22b8e595efbab7f6734f48643d8bcc5292b2036c827fbad70393cab46fc13bced1e7b4d88f727e1911e4ac07cd714c5235d3619176ee171b2324bc91769c4294e7bd6cbe28b6c5708cc1262033ae6d4809844ed5ff89b7f17f9e34bc32b8ca5f7876c5c67bc968b8224d2988dd015da35b08749692f1e077ce040e2a889b6a81d7339d1f7b2b2357e87864a4835ff93bd017e175b373b5e7d9aa8f71ef5cf2e54a782cf14af91c9f38fe8df51b4a3fe27309bed0983e4857f282b99c632ebbf9965f2b58aca5fa5f1d067430ec5c6e3c6deb1e86c26e73e1447b5426a2afb0215ccb05f86f2871e60dd49c9ba6c9f6225e74f1e35d1e59cd28920a322f8b53b95c5c0964d9edee6ee7be450c3560dd97b42926895ef7b49bd4eb770eab11f349ccc85c459bc6e51802394f45dd5dcba8a204f043918392ca4f4bdb3ac1290404b2cc566cf6bd7b9ca3b03f7f1a717e6ab0f28cfa8f0e3fc2c1a626a903b7f849bc4189905f3da01d61cf0737fc230e786cb861163c6bb5f838bdad42d9eaab1227235b96e77cc158054509bc29d1e8e31be78fd92ce7c020a52dfba9977cc3f0f31a6bde24bbb94cdfbfc5e19e5e5b747f4998c73aac7f33697481de6753ff907b07562572e9f93dfe886dca7d9dd83bff9b658f7f069e601c507a728e772c7e677dbd85a5c7264de62a77e24fd75556ab68034e7096aa9adc18ea5ba01796514167837b6cb761c7258b40d2f363d013a21aa6be68946aebd7b1c5d0d64d5f1e0fcf5a5ba675fa7e13312f61249633ef8ba78cfdc250720bf7967265301bda8b2790e65d26effee55e108cbd59cc9d3438c4dfb3e94a1b51cfa487d7c1d802c5c73ab82ca74f3c2a92dfb2fce61d35f31754efd2a6c2a3c961547f33b72ea78b5481119a688472e56b8bf5016db61764fa1089ab1e0c5a1a7e1c46f0ce9c753c413209d709e6ecb72329b9daebaa2871129338f727bd91c99c5eea959107de943ae4000000008a27be1a2b51a9f4816fd8de135629802cdc37a9573eb3e65212521df82f79dc5064ed35de5fdcacefe9e0f5454b9afd4491b72768e4a34159692bf4e7a8c4a	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId = "02pbzbutmqjqjbtn"	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2208	Discord rat.exe
1068	dllhost.exe
1068	dllhost.exe
2524	powershell.exe
2524	powershell.exe
1068	dllhost.exe
1068	dllhost.exe
2208	Discord rat.exe
3144	dllhost.exe
3144	dllhost.exe
2208	Discord rat.exe
2900	dllhost.exe
2900	dllhost.exe
1068	dllhost.exe
1068	dllhost.exe
1068	dllhost.exe
1068	dllhost.exe
676	powershell.exe
676	powershell.exe
2208	Discord rat.exe
2208	Discord rat.exe
4980	powershell.exe
4980	powershell.exe
2524	powershell.exe
1068	dllhost.exe
1068	dllhost.exe
3188	dllhost.exe
2208	Discord rat.exe
3188	dllhost.exe
820	dllhost.exe
820	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
676	powershell.exe
676	powershell.exe
3188	dllhost.exe
3188	dllhost.exe
2524	powershell.exe
4896	powershell.exe
4896	powershell.exe
3188	dllhost.exe
3188	dllhost.exe
4980	powershell.exe
3188	dllhost.exe
3188	dllhost.exe
676	powershell.exe
4504	powershell.exe
4504	powershell.exe
3188	dllhost.exe
3188	dllhost.exe
4980	powershell.exe
4896	powershell.exe
4504	powershell.exe
3188	dllhost.exe
3188	dllhost.exe
2208	Discord rat.exe
4620	dllhost.exe
4620	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
4896	powershell.exe
4980	powershell.exe
3188	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3488	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	1068	dllhost.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	3144	dllhost.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	2900	dllhost.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	3188	dllhost.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	820	dllhost.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	2208	Discord rat.exe
Token: SeDebugPrivilege	4620	dllhost.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	6064	svchost.exe
Token: SeCreatePagefilePrivilege	6064	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2168	svchost.exe
Token: SeIncreaseQuotaPrivilege	2168	svchost.exe
Token: SeSecurityPrivilege	2168	svchost.exe
Token: SeTakeOwnershipPrivilege	2168	svchost.exe
Token: SeLoadDriverPrivilege	2168	svchost.exe
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeRestorePrivilege	2168	svchost.exe
Token: SeShutdownPrivilege	2168	svchost.exe
Token: SeSystemEnvironmentPrivilege	2168	svchost.exe
Token: SeManageVolumePrivilege	2168	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2168	svchost.exe
Token: SeIncreaseQuotaPrivilege	2168	svchost.exe
Token: SeSecurityPrivilege	2168	svchost.exe
Token: SeTakeOwnershipPrivilege	2168	svchost.exe
Token: SeLoadDriverPrivilege	2168	svchost.exe
Token: SeSystemtimePrivilege	2168	svchost.exe
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeRestorePrivilege	2168	svchost.exe
Token: SeShutdownPrivilege	2168	svchost.exe
Token: SeSystemEnvironmentPrivilege	2168	svchost.exe
Token: SeUndockPrivilege	2168	svchost.exe
Token: SeManageVolumePrivilege	2168	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2168	svchost.exe
Token: SeIncreaseQuotaPrivilege	2168	svchost.exe
Token: SeSecurityPrivilege	2168	svchost.exe
Token: SeTakeOwnershipPrivilege	2168	svchost.exe
Token: SeLoadDriverPrivilege	2168	svchost.exe
Token: SeSystemtimePrivilege	2168	svchost.exe
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeRestorePrivilege	2168	svchost.exe
Token: SeShutdownPrivilege	2168	svchost.exe
Token: SeSystemEnvironmentPrivilege	2168	svchost.exe
Token: SeUndockPrivilege	2168	svchost.exe
Token: SeManageVolumePrivilege	2168	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2168	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	82
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	82
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	82
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	82
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	82
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	82
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	82
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	82
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	82
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	82
PID 2208 wrote to memory of 1068	2208	Discord rat.exe	82
PID 2208 wrote to memory of 2524	2208	Discord rat.exe	83
PID 2208 wrote to memory of 2524	2208	Discord rat.exe	83
PID 2208 wrote to memory of 4464	2208	Discord rat.exe	84
PID 2208 wrote to memory of 4464	2208	Discord rat.exe	84
PID 2208 wrote to memory of 2340	2208	Discord rat.exe	86
PID 2208 wrote to memory of 2340	2208	Discord rat.exe	86
PID 1068 wrote to memory of 620	1068	dllhost.exe	5
PID 1068 wrote to memory of 684	1068	dllhost.exe	7
PID 1068 wrote to memory of 956	1068	dllhost.exe	12
PID 1068 wrote to memory of 60	1068	dllhost.exe	13
PID 1068 wrote to memory of 744	1068	dllhost.exe	14
PID 1068 wrote to memory of 1032	1068	dllhost.exe	16
PID 1068 wrote to memory of 1084	1068	dllhost.exe	17
PID 1068 wrote to memory of 1100	1068	dllhost.exe	18
PID 1068 wrote to memory of 1172	1068	dllhost.exe	19
PID 1068 wrote to memory of 1244	1068	dllhost.exe	20
PID 1068 wrote to memory of 1264	1068	dllhost.exe	21
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	89
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	89
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	89
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	89
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	89
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	89
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	89
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	89
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	89
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	89
PID 684 wrote to memory of 2820	684	lsass.exe	48
PID 2208 wrote to memory of 3144	2208	Discord rat.exe	89
PID 684 wrote to memory of 2820	684	lsass.exe	48
PID 2208 wrote to memory of 676	2208	Discord rat.exe	90
PID 2208 wrote to memory of 676	2208	Discord rat.exe	90
PID 2208 wrote to memory of 2180	2208	Discord rat.exe	91
PID 2208 wrote to memory of 2180	2208	Discord rat.exe	91
PID 684 wrote to memory of 2820	684	lsass.exe	48
PID 684 wrote to memory of 2820	684	lsass.exe	48
PID 2208 wrote to memory of 4520	2208	Discord rat.exe	93
PID 2208 wrote to memory of 4520	2208	Discord rat.exe	93
PID 684 wrote to memory of 2820	684	lsass.exe	48
PID 684 wrote to memory of 2820	684	lsass.exe	48
PID 2208 wrote to memory of 2900	2208	Discord rat.exe	95
PID 2208 wrote to memory of 2900	2208	Discord rat.exe	95
PID 2208 wrote to memory of 2900	2208	Discord rat.exe	95
PID 2208 wrote to memory of 2900	2208	Discord rat.exe	95
PID 2208 wrote to memory of 2900	2208	Discord rat.exe	95
PID 2208 wrote to memory of 2900	2208	Discord rat.exe	95
PID 2208 wrote to memory of 2900	2208	Discord rat.exe	95
PID 2208 wrote to memory of 2900	2208	Discord rat.exe	95
PID 2208 wrote to memory of 2900	2208	Discord rat.exe	95
PID 2208 wrote to memory of 2900	2208	Discord rat.exe	95
PID 1068 wrote to memory of 1304	1068	dllhost.exe	22
PID 684 wrote to memory of 2820	684	lsass.exe	48
PID 684 wrote to memory of 2820	684	lsass.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:60
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3528cb3a-19fd-4601-aaf6-0788097cc33e}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1068
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ac0af1b6-74a2-45e0-8102-7c02ea6210d3}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3144
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f84d4a9c-0093-4989-988f-237946c7d4fe}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f04b0a5b-bc3a-4269-b7ca-2e91330f2a7b}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3188
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c590336e-8f84-4e4c-a530-831f6e0a3340}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c5b79031-5468-44e5-ae55-b75fc316876a}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{96b6097e-ff39-4d39-b609-ed79959ae9cc}
  2⤵
  PID:3676
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e247e1d2-7cdd-497c-b817-44cf54f3ce41}
  2⤵
  PID:5572
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3465f334-96b4-4d66-aec5-7bc7b21915f0}
  2⤵
  PID:3460
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8cd24587-b620-4972-a841-ebb1e6baae50}
  2⤵
  PID:2520
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8c2e9d3e-acb7-4a4b-94d7-f9fd9fb07e15}
  2⤵
  PID:1184
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d0a3d9cc-8e29-4d73-aeb5-d94c1a4d1cbf}
  2⤵
  PID:5576
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{7d06d93a-74b1-410e-adba-8288c511ae63}
  2⤵
  PID:812
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6b292cdc-0a42-4c8c-aed2-91a465576e26}
  2⤵
  PID:2944
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{20c61bd5-7c15-4d86-9570-cc943ef2dc9e}
  2⤵
  PID:4828
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e9f11a30-0b16-4de4-8e3e-8cbe43533131}
  2⤵
  PID:1208
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f0a505e2-d03c-4a50-a892-baffe5991aeb}
  2⤵
  PID:5968
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9acccdc1-59ae-423c-868e-b8ce45651e9c}
  2⤵
  PID:2728
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c469a456-c1e8-4ed4-bd54-c68293611085}
  2⤵
  PID:3716

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1172
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1436
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1424

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2808

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3012

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3488
- C:\Users\Admin\AppData\Local\Temp\Discord rat.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord rat.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2524
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3656
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4464
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2452
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2340
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:676
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:412
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2180
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3192
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4520
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4980
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3512
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2436
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2544
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4128
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4504
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4584
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4328
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4564
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3836
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4896
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3740
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2652
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3104
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4404
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2772
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4852
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5056
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2284
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1368
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3128
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:596
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5588
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4396
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1208
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5556
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5312
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5424
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2144
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:908
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3604
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6112
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4928
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2312
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3268
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3904
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2260
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1660
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4536
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5672
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4728
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6108
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3512
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3784
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4356
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1680
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4008
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5940
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5456
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4208
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4472
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4560
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4012
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3048
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6020
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5916
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2952
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3896
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4588
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1364
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:432
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:4252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5140
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5136
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:4928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:700
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5296
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3624

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3816

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3972

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:776

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2612

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:2664

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4992

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:1728

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 016ae9b219b9aa4ffaf55292243bb991 db50Wjwkw0aGML3uq5hN2g.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:5964
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:6064

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Enumerates system info in registry
PID:4168

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Drops file in Windows directory
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4288

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:6092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery