discordrat | 5bce7dbec4e5f84a3548b60cfc92db0cb12ad033a6dc1d6f4606af3aa1b55265

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 19 IoCs

Web Service

T1102

flow	ioc
11	discord.com
26	raw.githubusercontent.com
52	discord.com
60	discord.com
122	discord.com
9	discord.com
50	discord.com
25	raw.githubusercontent.com
27	discord.com
57	raw.githubusercontent.com
120	discord.com
121	discord.com
18	discord.com
51	discord.com
53	discord.com
58	discord.com
59	discord.com
123	discord.com
36	discord.com

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	lsass.exe
File opened for modification	C:\Windows\System32\Tasks\$77HWID Checker.exe	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4320 set thread context of 3936	4320	HWID Checker.exe	87

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 21 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\3 = 04000000000000000000803f000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\4 = 0420000000000000180000000000000000000000000000000000803f0000803f	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\5 = 0b0000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0\ = "{2}.\\\\?\\hdaudio#func_01&ven_8086&dev_0022&subsys_80860022&rev_1001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\elineouttopo/00010001\|\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe%b{00000000-0000-0000-0000-000000000000}"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}	svchost.exe

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={028D3B53-8845-416C-B6A3-C334118DC385}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02pmzbrzqotkoxie\Provision Tuesday, December 10, 2024 06:10:27 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAQbJ3SKpLikOXAFs4zCq7cgAAAAACAAAAAAAQZgAAAAEAACAAAAA02GWRALUB9UIXE6LTDKwJ9ijzzz9YteD1G1NTD8rb6wAAAAAOgAAAAAIAACAAAABDiAEw2e1mAyy1dxtTXv5nR1x+dCZJ1qe/x+5KOXVJhyAAAAAzzLsf0vbMc++rEPduWcPJu8yv6GJZlVAP322aEYEqdEAAAADIJsnQgDkdfTYfoFINu7PpHS7D0Yg1yjfVHbOj7ZxPGJt4vGoWA2WJwAWCLLfj4gPskF4/+G2jZ5K6k5K2uEPP"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000041b27748aa4b8a4397005b38cc2abb7200000000020000000000106600000001000020000000be632003bece5d1f741c85bf43a796fd966d4352a58e888b117e4cf18d2ceb18000000000e8000000002000020000000a6cbdf3d9751a6fae305f69f97cd7ad28b8a77895ab7d2571f60442cd947b2f7b00300001366cd37d068e21e2317de251443b52208f6e03c719a73332d159d58be408d289841fd7360f5a95cb769695e6733e1155c859079f4e3c7fd4cdd485ac45bf47a4e0103066f7b43002dd1ed1f44c1b1510477ebfc6cf6de02280e3429bb7dff1f3602656360797d2c47884119e97db8c38edd636fa16cb8e8f9042ec8cdce3baeee9bccd6ac0d51ea74fa38fc1c0f80ffc799e159cc807ec22d5c164a1041399f7eef7eff29c492cd3f68b9900c81ee66676645e74722630919ba84e210c807ca9c233ad8df9178eeab8848097c077be1bfaba96cdfe2b5001f9327b19a4a3a79beb14d27e59f940d758557d4c8bdb504c4dc7e43f6f49b461bb5458d926c7c636013f6e9b9dc2b0900f7a7151926ca69603826b9826801351d29618d0e5c4eda082b21c4bd7c9ecda1788493a1db310e15c938ff18add6e7918e33a8413702f58e043e45d4b9ad59316461b9afd3c2c674ce7386c05b2e3d331284d38816cfb4868131347baeb92ef11b17b062b9a48548f71a6cf8a450864f39fcb2e2037bdfab997464574acb6044cf6e23e88d462ca962ad8e021e7fecf8120d40070b50437baeac1f18bed889b08a9101065fb431f6d7e4ce91d7ef01615ec63d84adf2fcb8e0a06899774cf0088e693367d0319709fa540af529789eafb776061efc04dd5542947010f815b31b2b8ccfcaedefe8b922807876a6860c055e0c811060e9d6ab1a12f2d7259741de37ff6a62e179043e72a4399d2dbc48441c23679a443906954c2b888645cbb41aadb46b3f0df8660bfce114c87d99dbbfa2b3f639d1116e1b8c211971652036e4184d07602501c5d4047d517c0df7cb297e5ef0dd87786df00b57e770c2fafb26c64f6e34a5e37d3db420fae5139c5e3dc32ed9d4f68f1eca447cbd45636532264f5c7bb8052bbee7187ba2b6d08d80010dcb4b355f4786bae354afc264a362ad308ed7c7e78bd1fb3a0c94fd8943e4485d1c6223f6b586478957bb5a09e477e63d23fdaeca38f3ec132a6754d8d83b2c6c04a9095d27bfaf95db8bc526fbc2723b2aedf90089b4437a9dc0e26ba363d7cc3c522e30298a5714eaf6eb493c613e4b07552a4cce6adee0c672ad475cd504a4cfd7f25b1eae2dea76150b73d25cb03fd6bbe0a0b73a8f8c468831325a0d1af1f4cf03ffb920dab67b730816e3a75d7979a578256800b651cfce6ee57ab14787c92158b09cd3c6841d0ca1d33694526807bb9d7dfac7bc754da628c4d4d7dbb8a4975023d9dcc205eb3c726bc810786dc9da25b7ee073ebd85adcdfeb1fbe7bc74445fd12a0c79f6736ac933455c4d032cfe813e9c7340000000f85e86b85c5935ef5b89a83d6939438938d6bfeaf7dd125bf1237523087e6ee9a9259202b8f7e66f3c1903561ce567f2fcc525304f70763a5d4a306d5470a5cb	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "00184011C3E7094C"	mousocoreworker.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\00184011C3E7094C = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000041b27748aa4b8a4397005b38cc2abb7200000000020000000000106600000001000020000000442a62cc7d5ab896b764bd9bc7514a4311815133133450ea6a55170810f23c7b000000000e800000000200002000000072da3db7d3b4249d9357c8be862d18afd91c359e9aacb4010203bccc7ee6702f80000000cf950247bb877ff2db4d50327913082292a78eb0965cbd6cf81d93c6cc65978854b8b6b844b4404e22115d28f414c45ce41b33806096528ae0dbb78881147645deb87e36f2d6ea74c79c150e4445e6df90041b27dce777a8f9601333150c4c483b3d0b728165679b3afaa4a8daf01f3bcb226021c957022784db743bef65573f4000000011205e052510cd19670f2d5e0e85d1692398861d641eb63afd35ca93b60221280dbde800a8ef70fced8e1f757e0bab0d032fd4b085173664c509cfa4a30295f5	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek	mousocoreworker.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000041b27748aa4b8a4397005b38cc2abb7200000000020000000000106600000001000020000000e8fd0d23939c4752ed5eb264268a1c16e1299ab2e9b9bc2af4fc81830e1ba1ca000000000e8000000002000020000000fcf64e01c97751db2d200fbc64473f373965fe23043f62db51952cc8acce47b0b00300002b58fdfdd1eac454ce481a25bc46231d226c6666cab196e3c73ea2f15ac556845208ecfb1a49775e3d4df44f1a1c34a0ce7cf4029992bf33075d4fa976a6bc9ebe1eb030580f10782e9ad9965688ebd973c2223ddcbaecbcfba168641adf3f2fda892fe70a0084f4fcb0b3d4498605a93b56675bc86fe43c380c7cc64cc70ec97cf2ae09e38ef8768c32ca1b233daec565e3b16424908b0a9d3f873a277da85f1fe9151a7a099055481e62d9fe5d2d02dbab2150a01be2b59fddf823eb40f140816d6768e28c66ab9ca8ebd14b99a99c1b2f1c37ae58c484c051def1a891028beb1724e76dc6f36ab72c4b1b85750a2696b02f965571046dee7e6558201dd552fd36717377bac38aecf27418399704f56533d8fdf2e45dec9aab5f59ed763f5a328222bc5e75230c09bf40fe3ff7b0938c1c7eaa8d7f3840bf58ae42b50924f8d68aa3049d1c3084f36b4f8ec429613aac911427dd42ede71ca52701568486fbf073a35d51cfd7044c6f3f67640a21ef28ba899c7095decceb60ad3fd5394b221788145b2fa32f60772daf74a8c3d80a4122fbac4355cbc0c1a2a5a2bb09aa7069d85f00e2916a38dea4bae7281aecfec7516f910ea460f21efd93b0f49f647bb26d8102fb50a13aa6c17ab91256cc1245724b12bbe3db0b8f870803ca8d71552142d412bc1604ca3bb56f7a1cbfb057be9f0a30f63ddd4f811d00485ba1f1e738676cc70fd27fb4d6e0d87fa810014b1f74458e49cd70caf8a07ad1273a9e671c926ec2328df8fb56552f72a00dc0baf8b0a546415cc05cff797cd2494c081aa3db8e99bfe6fd2eff7a6469453a1031f3395972a620cce39c7f868e050c74b713fd16a029d34e33b8c5cdcd6719c3a01968dcfb0dd61dc68680448d0c5df43573485c67644c93344affb14add548f1cb79111661e998083badad4d5ac98fcf1b7b7afd2a208153a133c861c3449c04f6bab31f7167310b8f2b3ad81b272f3dd80df7c3555236167d8dd7bd62776ad2f783370a338731430775177ae5eeba6c3ee2d00fea7e7a96db6165728a4e96856f6e00d4047c83fef8668042be1b7e072e3648482dba7e8961220ac3e16ce1b9127378ea5dc0276c2d98a89a3d136c385671a9e479cb1ea173b1c34f57232cd85c7af999837720ccc3662b6dca395a327276c48a0369d701c11650d02f784f432b8d3a0f11473e1e8364f0d7a1036058935f1b85fcfaea9b19c909ef74489a3a134a28bc6c39035be08782b241036449153d90827c5f637171797a95bc613101e0759db1da32037f0b5b2288af2f2392ad7f7b33285761d85dad238ec91c27d47400000008ab75986891f012f78641a74c99065c3e0e559ca9d6507e3d1631003d9b70a4683ac631d02ccaa3de93b0efa504505f5cf9a88fab85f54e598d9537b86c0bbc5	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\ValidDeviceId = "02ekqauvbvcusyks"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 10 Dec 2024 06:11:43 GMT"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\ValidDeviceId	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02pmzbrzqotkoxie	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pmzbrzqotkoxie\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1"	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02cxaobyoycdgrkd\Request Tuesday, December 10, 2024 06:11:38 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAZFxp3PM/ME2Clk4wiz2krQAAAAACAAAAAAAQZgAAAAEAACAAAACjzpE0S97uYnHYMwEdjG1210SI10MA9u+26Vq+VL6yiwAAAAAOgAAAAAIAACAAAADnzSui0DF3rSb/UOVlgIe8/5lkdRrwx8GSQ8bf/MVqtbASAADr2X/ZoDV4+F0Y1g24f2zz2XO5JleLn7giwLgOwfZPQmgCfUKiIntp/+rz0IAp2jXCGaKVgCSu8lOXq0r+OL8Qz70arxoD4/VQxYQZEK+CwbCAQGe5lPlsbFer3VG0rz4c+lQUCEI3tlDuLrN/+69wZ9gY9nTzNmb8uWfo29y50tEWSYza1Pfcng8PDbyOmSlx/A6vwO/hlou3Z6A/H5e9vVQkIbdwskprFIBFCVnFRe6lqAhB6iDQwlTunUhy4S4z99u5Js47+UU7sRavPln4Q9M9KcM7ngPPHmNP0xsmMAXnd3U6T4TsE+6FF5R1YnlnDQNb/iG4yEeWygeN+AwX/PxRXxvrH6S9oDDvO2zyPYaR1w5xNmgdMyJ0hZHW44JnSyy+FxgnIDKw6gPmHO/E12eGMWcxLYnnKJlwuIl3RUzNJqAqvD5iwXCAuaSQOl3gVE8OIzkilXZ+c39go2VpuESAqJfiXM+v7bU4pBhqzcx/vkDO2nLeKeXB33HByiizOCWMUKEs8IN8LZO7tcgsx5Lsva64m+zk6KNsiVe0cSwh8NNYP6J4pdKp1pnl35JxxWNjJkIQHwlwkvHbOQ9a7w6SzaSG8wnXXPgrYzl+/V8uVewG/GA7EDpwX0HSZlNz7/+YGcL83WhrurW4TsIedmY/YCb3j0fn0czT//EG6gmuhPe9tAQPnxLt5iNYiHR3jtOF+v2mcO7Gjcinmqso1edKFcmFz04JPTNC7EzkzFKWw+jo4qDGVK/FYU/BnVzVuWaYL4SQzzahwHmjruDV52RG3z1QbDq4QXVR1KHJgCndlr2Bb34lHflaX2sfMr/eiwSdh3EeNUMzXMFCkSmOeBYg0ZIvRouEvoxMULB+Gs7cM6vvtfHcyGTTZNGuN50PY9NquOyYwdC4S90pxRR/y6lusJvucIMGqlTCazBXfUX1IHtuuK0cObkwIloOmpJjYjT6box/Jej/bdSoQg2cl5HJEjxCZLJ5pVLzkLSQQkjkgZdBxeLu8z1FcAAmBXboLC5pJPQOUonzqgPUk5RCW62zD17h9z7k2uRPNq0e7+tsW1wSYgo7z5p0GMcX2fvi+Ouf8Kw9G4WXIppw8/W1kSJ0ZC6Yw/ggR1PTK7IZaHCyAM9yEYtnN/XTUr+DX/r4pO9PHcjA22DIokuNaTMrufMXjDfHAyoKLwX1A3jpAJT5YkarRC6PEm8TcS6ayaVhhSANCFuUoM+2O1iodMNkYBIQf7voMJblW3Qnho1FA/ArCEbJd0yH1oP5wm9drcfKHoQYaH2UY6DMK1qcUF0WM8HxUDzW2a7rZOrtYmeknIlh9eLHeeTm3AMiHFVVEKiBpvF8ErFsWhmk2TyikSnwpVMYFRXMUsPs2nJgq7PfWm2q1bvWLtdNkY2j73GZ4BUkiiI5ai1abu+oYfv133Ao9qu76tzRY8Q7/axXiXpNUUusSbhrDt+66125A2WaD6pInqOYQzi9TXc4RU+cYsfDuDCMwpxMFcZSmEPlGKpJX3yt4t8dvSSVQqJS4z1Jg1mj27qwvxWOP6m5piSS5fd09nP6lb+5nRlp9nXbaa9ksJZYj0hpbhQKjyrA0PLNoo8FJAgblPUK7KmPe7tSYyqvu4CgBqLe4FjxGGsDhn6eFriSFCCq5VKTC+nIE5XWzY3yM7JDc29KDAVLtPH8ktpkovXj0hB0vpZw03wu/wC/IRnIc99bT38OE9QrEF0oaSAfSRk0DAm3lsikkUp1LrZhH5ha++8nrpyF/egTl/ko5Xvxpvtanf7+32FKxk9cZBVTu3xheKr8H9QMq8yJx26v5w9IMN+HXbqOnRIFAN0qCholi80y/EoOev4Yv1auz2f6MNh8Qh9BBFWcTTOFRqZn+bsBZDq/jrMu6YObUUQ0IB/0q2OimRUbrzlyyGLTqo3l3Yd05QQI8d0w+D1YQEJY4CQVEPK9/zW39E9q8t+2gWdZs+VeqeAmc/+/dqox1oHF1LfnqyVPYduvKBN1V9xNtXdEZFy1+gGAxj5Tcd8JwT1lIl6XuPyGw6rIBJBvzG+ALn4+EY+nF2sgXJszZhONz9W0XuZlI7+H8+3aICAoP6w/CKQq6YtPSocnZaSV+tqp+mOy1sWoJEKC3XBnGj2sLu14L20BBTVCouAdtczC7w38cTDX2hpHqAyw6tAx3SdT8wfRmiLfjsMrjb+TzKFqk5VwN/Xk3UAWaHbtG9nXyKj9eZPz/1HOIOPEixOR9tf9GHcwItwcJcas2wPinN/kI9S0a1R68C3k1I9ckhDRpazWu+uVe3XnTsg/nenIk91g/337lYIcASyjUsAAJJfB/RbZbmJPJbZ25KCv761d1H+/JrEtqCRQRwss1n3vO1H8776H8ET7H4oTiiTDjvRtt1fs2I4utQpCbTVksQApwmAK0CzPxgaAL4mVIXJ1tzrbnL3vo0VijCMhrb6OV9ExByL384g5JKvAnMJc00GM66WtDwzOihUSmyw9ut/XJCp0fG2geh9NY1g8oDUm92FUjaPUwfOU9XqVuWfRdx874KuWfr+o8/TnrU0ltJgdqHD4tleO83gFv7Er6QK6gIbPsXmS4k1Pbmy/DYSsvtppB4m88PAj45jMVwSKnsJ9Volj8sIbHRfvCRiCyze06BGKQsGRXU+QUjzggmV+8lq0mVKE6zxG11hZScksf8Xz9RS6JinewwfLbXSMNVcf8WkTsp2ORH0MQRUxaEb7eYgXnI0Xy7pm2Aaup81yV8e5IUjKGD44ainjug2+fhAgACXeqhvdHZh4TM+sNUoyO7+R2psHUAcvNiKbxBNndvku9NjSCD6Za6jbxiew5sFRCD2Ppy9lKt0eA14ArQ+CDtxKUOkecligbkyqbaYZZjzWZdBhxl8QnJpyCQFOCPKOithY5qcQbJ/hWV9ZHfttwGv+QQexY7IsLA2D8rJrbZLOGoL/BSkOUK6sWd5KolPveK58FjaG9Sb4cqatNQj5lvFqPXH7BhKysWdN37hwxYCmRsgxjwvVfXiCiy4MaTZwdoVM3dMjn4EFPigwy2G6L3kiVRtDS/c9EtA9hXdyjqpiVxBN45cCh7tBs10RtI7qkZyuz+tBc3HRoOhAVM+YkbmDDeOfI7nSGwBfhSt7nWMtvrgtJuLCsUB4zJhu8xva+IZzsWkFE310Snq6nP9WyUypdO8ItvwifdjxlPqvlUmUgSQ+t+PLo6GZVQe6aJvTqRLBSwIy++gbX8TdkzAawJWOOKV7xXxkOzbCOvHXD7uRu8e9wp/WIC0p+FPMPywv8jYDnDbb4ZchmzJaneE03fYIW9YZp4FLUienGdOKlyxAgspO6v54fsSZKajRj9auyAyP1rumZz8/cBekuOzftyaoSEk+uXuqb0gR6I90IXNyhcozbeo5Esxk7eJqNRbGNV7IyC63/w71Vu29YeHjWwzCVh9hmBzOWhGngv/baLwDsNxXGjdp/CoNUZjs+pCX3lDpZraJNh8U9kKT1koh2LbCloxgXFxZ+Znqlcbb4Jskmz6qknHLCgWnmnxCAWFLnX1+fPfszeYy6PJwZMZhTvPa1J68pIwjLjAUglGfhacA+dMZNXttkSS/D5eBl8VOLi1eQNbb/st9mJEEk3B/9qrEvOkmGqRSTvTj3HTG0/AxnzHzpMxYd/QH6P/PDk5+VfIzfy4T58WWTO/oxUQiRBki59ISzZGkq/7hpKEPRg/rVt7jbNm7vaKFpCtbEPW0NAKK0kHLTHLTOTD/kh5AikaD/4xnmRPbNfAvgkCSmwV39UOYgbY424pjDlhWRzB/oJoJfBowEWYU45b/j7wwNwS/v875B05wdjAAiDv2oZ2lrbVlSoNJ9OnxgtYq4CS/K6B1FV0dDRg7CHRL6BUOJSyZ6DxQmDwKng54URybQ9TRbzOm3qttUJDZ8/t0Nw5W67UbCxi4oaWLZvwWGRh3w1DG6gixeiTCCU65bhErISgTXcpH032PnaOkB/MFQLcQmOgLvlpd4S1DdD6WZVUIgSNVglffVhEAHhls9j45m6scC69gdcSqhoqFujeCoV2T7TMpKRs3at+m2/Bdb2usvHZsAJsxqXXiWCrhz8jkGI65OymkAMC3Pzsw6cMvKQ2fQtZN3Kq3Arv2sUuCHjFvDC15oiB5MNnC9K2B2GWiA8CFiiYk8xV3EV8nSIFrtE0vzCyIwhnPYwUZ4fIIFDM73ml+cuiWHo2O0y2DVhZKMoMjbLlGcUVs+rA4V0Lkk6saKr4VnF+ZbMylmcUyAuwcIOBS1sU5levMfb3lP4k48yzaMPb5cxEmnxbAfOk5nZJjTMoqRO83KvMlb+UZpkLDKDY62TjnKbVij/Emb2yQ42ZIrdN2uwrCk3LKd+QcpNyLESGi/EfzQrcfZFKzshU6QpZ2hFjACLKyNqySOmrhs7Hebc4m0NyHRorQtzqXz7IfGIATFSvhban7SBa9qG6R2YY8jAioW3QfGPcuX1SKwwi9DkhrywSezxAEcGwUq8OgSJYugIblUrEk8a0rWLQF6FCgr7MqNywP5wgGnQoZ8lQxPJbbKdUAFqEoqvy9QXyM6/nLOrED9twqD6OMPW0686fhy7gcPcEH5mxDGD/xokepxHHXdybFBwAZNBl6Q5gRHFOT0WEu5FVzDlQ8ZcNYPuZsjUoES7O1pg2ymgLYQCU+ebVdljzpsqtmxovLFScpJ3cQcR5Wc8xAlbtq8BJQHeFkVO2JZI0nCKHjenS0WRb2aNi74P1zryBhpQxObJ7tndtNiz1+RX3a0aUhAg+4j+AVxAOeIXzgcJTQCkq/7vIOxgQXAF0LTR2qmCoWpz5TPhBt+MvQ5Z0uSJ3GJod1PgErm4xuvOWvLNaR/5oQn5kdZAA48E0X/cUAokZX2OkUCHs42E2+mY6Mex7x4E3GLFQCUJOz3PRp9ffYMSESd5iVPwTs+VgrALUCBkJMMxR7DB9YA7xOtFScvhwjIkYfizK1lGqoCpkfqE+DNK3O5Z/R/YuJZ739XuwYkkU5i8ffrLSLxn+rL4REih96ruxjyHbl4PJvtR9HKDyBY3mp+3Eaya/vF5O2NXaq6iKPdC3+CsBDTXmqVpj4B2RGHPuY5XgkDxPywpjuhlNK3sPXbxY2TI3EiBZ7SDkHBrckzeLM5lgrkdoJeCODmy64sVPk0QQIFhT2w74O/0EKhpCypTtjnqFPt3EsLh8vozEPvopBuX0CTjHeUjNYqfekKzKmR4JvoWWiDUssHbR4NtV8kFpzeo5Rbr9aRqdyoqN2mvRJXhdjBZavPNV1N97agT5krhmW24fwId+iHeGoP/fjx3tUgeQSvVZnfFy8ww210r7CBCnppsjcBLFng0Ks32aaRGYFZFmlutkVeoNwMBnoNDhcP63/Hj7hOc3ntVkTaZ6LA/k2w6MY7BBY7392iTZdsgawN7tEX+xhgxva9qwKkr0wVjZKFvD0G9bmRsePduQpHbPKoNR8DO7rjQfx9zI3lOwxeOWjbKbM2af55uEG0RDSIvV66tC/OFHMlAjrqxAD0KASlJ7Oz8YceD3k57TEfUoZ6Tix8JIUqCVtLK38HkQs3QxjUdydRCH04Cs5Q8xsB580L4UjgCfgKQ9SWs7bbIux8HJrTZAWjQUNhyRqazcUTeN3SQTml5L1JyM677OjZ91w4jc1wbzcmPFpdk7xcwTipB2bLIY/ixWzMHryJ0H/LbjQP6Gu63m24uFWMVRPz3jEKKFLXc53dm46CSvQSogxNnC2x0D9qRBCF4CHSzDTDLL1qNbZe3LweCh3MA8Xt3cOjLu+aN5RptFdv4WGgdJRMXXODl4SOw8L/xVyAywRGpp/pXg5OLivr58wGLxNvBPe2Pk9ngytcfiZBTYA9RaYF79meB6iRrt5Gn3BXz3xuRoJS+2DbJHzg9OsbHyc9RQTAgvDBKeFKkxfCefOrwLtUoMZ9Vr276w8YtCh2blcbf1h+nMNaGfLfSOpWIm700zlOYXfo7Yb2hJVLiLgnz8jhKJLWB/ECXUPl4TTI25PFinwI31+ZYPwSL2MSCBJELUW2y2lFxKwfAtPVkfnxEcSUmEWObhA/evgCmbObEDxrW849rKGEdyufQlEDp8vQyBL/3FXPms5hilkgVt0KIKlWdrf285JKs4biV6ksIk+VdIhQ45vJtlj7nJwLwaK7rtel2FJu5ZHmSLX3VD8eRa0fSuFcCsT38tIOODtbycFXMDDw0QL0QDKcK/Oe2P3n+nw5jSlfBQZeCyYsPIlP6fSxl4rg3VYvGndB/BwZ9mZHEJnRmqIAfeUZBHra9QWHOPK+tmLzm4pGRjXRSXnYJXUjjdvhkg9s3vkfkZAJGUufuCjtgzuay6UCTEqUB7sb1epRNQ9tKH0/4TT5hEOmOZaS0AAAACwdFPpgstBw8T/VikTqJXztTFpqh6ya/Hcgn6imicYJ94q8HG3A6jgy5F2mZKWZzbLzXV6ipD60QG6k10b7jsE"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02cxaobyoycdgrkd\Response Tuesday, December 10, 2024 06:11:38 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAZFxp3PM/ME2Clk4wiz2krQAAAAACAAAAAAAQZgAAAAEAACAAAAAZECXHO+kxQXbILx8u52UtAtHhbxJx2HwdATeIfwQU1gAAAAAOgAAAAAIAACAAAAB5VjlHBubCGCHP/GiLaiiFP+3xh6aw9kCIk61eTCuVpoAHAADF6dJ84RMzQ9mTGNg78lEoqSDtorLUfoMIHbbKiurTXap0Dlt9M4CSyuAiE/B5cqbEPJ/vdKrnUBbAG6QXHHmL29dL+v+L4syqtWYbLIuaKvxC8nHDMOKAcjZsQuHe9sUhpkiUQF9Q010PgvXIiXYntS/7V6XawmIOiTbvyTZ7Ciltk/G3z1gcYX6pufTbtNbAL/mtrC/l+YLbaMJt0qVu3jAjmGhpLgOv7gIMYQ9dh+IWP8ajI9LoG1uYvY4GTvqzA/+A6B1E+g88VEI8dNeLau8chheFXZEFNlG1MX7cHlwpNAbDJ4MmhKdlTbAq4Uo/sW21gdoDFxPQvlftswFKW+vhP+pKjIllu4G7wUp+z6gq1DfTNzQ6q95wW2+FQfunuUdy6RM5HQalJbi99BjpBEN09XcQfIZywqtCNP5Epds4J4SJljhMMyv+4dzS0nphwk+UCVp/1PtHl/UQ+BMq6vSjLPv6isdJDKIRus0l1Kq6STgbv63N0Wl4Br787xe6N/lI1EgPT6CgXu3jIvRizQ8F3GhwiU+OdMGIoyRBWcsLsdDTEOmvDAAUoOshRRj4QeyMc8zwHav/2U6ALh0bIDgbca/TEOSB8d4ynCJrhxJS/4/x0ohXzIXIFJdIbRHOJluhIcs3r9H8DKi46ZI5/OIt81nw8gUVvmayQm/yemnoyDE9dXLv1S0Xjdx1EtRCEOLkLX3/OG3SbsiwCie9TjDlF0XJPS1ct42oOYrJ8q09lcw+Ok/xdzXieWN4sHz5LjwskSXm9L0IJCsbCEEmZjZwWPi5zycWor9jszKM8FyGj2hDl0dV0niuqzJo5GF/4de0epwfA1etC4ngrR0OtTQQwT2VTdgvtP+sADjaWey8SvxQV/PiSSZPJmtkegs7/xPkgGYzQyc/tgjRYmgnJE8BIaTxZFSPKqcfenZR76nrYITSurjgsuzn1UQW3RnDLkgReE1vCVVSB8zkEFq7AntS1+c5uwo1Om3WcbXvai+qbWn1oCrv9RHKDvwZf4Or8MvIGR/bwe0vZA00ouSKOyiHHBqq33lJC3WXjgGuXMNAnJCzlLpwp2pw4QrDuO8s3WYJALQXNxqs7kTvUcmImFhiGf4e87MDDtD8rJktmswawJqgS5+udFzC8yRXOFyOpRzyx1MN4CSb8isQMWbzOxA4QXIaozuspwQvsrR4ZuUlOOYnsbIg5Pkd7WFXTuKkMKJBnmSoiXrH1QUJRnzlX9BpXZfbY7XXtQawo6ffX0/dRYEuQkDxC2k55YqjyF3kkJR6djJPjX+/Ca3aoBIurSxh40spAfZh1RC+SLONjXkWv5C0fBoEj4SjFCbh6JXciIj/nyRWu4cerO8g75FPRnEfAEv9s3TH36oELqeRxc0RS2w6fr+80iL8mvPQ31pD7JojlkMgegYAxoYaLh7bnTFfQYGg5CGXb3x+iPkzAb4h6z6SRyygyqRJPmqox8A4x0rpk87sWdba/3XA9MkH+a5455zs+kqklyqWYda9S3p+m0af18PJz0qsJAOZarPR9ExyNCJd9+AmeUrjTF7370uf26f4i0dq0nXpmwpZfkx9RYk95wgzNABlQ18+cuY/ZY1N7TDtwIn8ARLJOp4bHkkF/bN63xhLQbzoBk4cnkhI3wClwKAMu7sRzhKhcUU3Gr7NLo9dis471lACdnMudJALExaDQU21ETyWZ+vYyCssNhnoWnW4gXTS6lh4IqOcKuF7YpwcRjfxve4gXESO0po0AY5wNQ83VtIihzaf/GXwGAanTUcVk6gijpSZpU1AWzKiuO4Oyw7yxyHUgnskSq5dvrkyBDIFUP4sprKNNiWh/ZqutqerrfoNDzoexTZgN8DDLSOffWXtHcVUCkXi+z/RhjgcxpQMJ3pn1PwlpnKuYxEdb34QGiEV9QVybgrAQBBMIY8lKqi5l0LHIOhsku7Z5WvcKR8xhUGUR6T5PeuBe0bmiXiIuz/4CgueJJ6D+lbMxngwqujFj0ZSXd9yvUOLgXwYpK/JnHsZ1eofP779IEr4VPSIOpNqeDfduzGAL5n7eaGVKdfcBI1E92JQ1lenUG2vUqiROueIjQhtIahH0q8BkpyZwHtUTlNFdygHeMyaGMAw1R4gA2BShZhnI5wpekqhKA539hkZiBbr4UwQBUuQFQJFRJ5WYVjvRDGBWOQRTeebpetjktQ9lR90y77AfRCUAPAPbkv3ZPSKCZmX460k+hZBB+zo52lE0q2Qi+mFOaIvgCQA7PHfZ4nsdsCwXgo9aN3BHCUp7LD6UdcawcN0XvKF7gOiOe9xm1fab6RLmoF+BF1z2U2D0aJAvTEOz9yVbPSTmGz4Nh9J27OOpQY4Ok931fgPBqo/CCeI3L6LRFBXp94VU753VgJwRAo9xeniGp4msH/oYhKQlmrrFbgGV06U2mwcn6mQOSxzTjIF94dJtDKAIInW9AiTGJqPUSBjkv0UEbDXLhU/Qa64K2kgS2SXzaoXz43569QysyMGEjqOazdyZNB+PDJe/83hharEUCX3qhr6s+OJlxlmw+729EWFtsRiMOXva6VAAAAAIKM4i0fpBkF+O6PQPira4KJnkWgb3whuJWYUxoQtNgFirUU92YNXEQq3zbdOs/3ZXT8iaRO31iF/X+QLQvR9aA=="	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\02cxaobyoycdgrkd\Reason = "2147780641"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1733811102"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pmzbrzqotkoxie\DeviceId = "<Data LastUpdatedTime=\"1733811028\"><User username=\"02PMZBRZQOTKOXIE\"><HardwareInfo BoundTime=\"1733811029\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId = "02pmzbrzqotkoxie"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\00184011C3E7094C = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000041b27748aa4b8a4397005b38cc2abb7200000000020000000000106600000001000020000000005a39743e432ad09671e2376dbef945cfa25acb4a8a9cf5a70dd49b1633e267000000000e8000000002000020000000db6be6468df3e146329f31ad6851a93abcb34f757e32db74fdd0416ee21cbcf280000000d559840aeecc792d0209155e3e392c58e109a338508943bcb0ebac4ad00b93f85f30c97bd014e18f7f5c70505ccfafc7fd575d33cb18585635c069d799f9a64144d3a05441dc80ad17d102f459803fdc7bc834eb08aa4665c27c016ecc4c213aa10a449cb896e8f3f0946aa57e5bcd465e474b05df0fcc16740c2b7a200931404000000023e524dca9942f176b49c9d383c6fbb805f6ded7047696be0ecd6b9bd2f01d3a0d7f4d92ac0bf59d876ee860931937b25ee5ce53b199eda0d8abcabd5ac9152c	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore	mousocoreworker.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pmzbrzqotkoxie	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pmzbrzqotkoxie\DeviceId = "<Data LastUpdatedTime=\"1733811028\"><User username=\"02PMZBRZQOTKOXIE\"><HardwareInfo BoundTime=\"1733811028\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00184011C3E7094C"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02cxaobyoycdgrkd	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\02ekqauvbvcusyks	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pmzbrzqotkoxie\DeviceId = "<Data LastUpdatedTime=\"1733811028\"><User username=\"02PMZBRZQOTKOXIE\"/></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\02ekqauvbvcusyks\DeviceId = "<Data><User username=\"02EKQAUVBVCUSYKS\"><HardwareInfo BoundTime=\"1733811100\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\02cxaobyoycdgrkd\AppIdList	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\02ekqauvbvcusyks\DeviceId = "<Data><User username=\"02EKQAUVBVCUSYKS\"/></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\02ekqauvbvcusyks\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4132	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4320	HWID Checker.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
4320	HWID Checker.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
4320	HWID Checker.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
4320	HWID Checker.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
4320	HWID Checker.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
4320	HWID Checker.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
4320	HWID Checker.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe
3936	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3488	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4320	HWID Checker.exe
Token: SeDebugPrivilege	4320	HWID Checker.exe
Token: SeDebugPrivilege	3936	dllhost.exe
Token: SeShutdownPrivilege	1560	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	1560	mousocoreworker.exe
Token: SeShutdownPrivilege	392	dwm.exe
Token: SeCreatePagefilePrivilege	392	dwm.exe
Token: SeShutdownPrivilege	1560	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	1560	mousocoreworker.exe
Token: SeShutdownPrivilege	3956	RuntimeBroker.exe
Token: SeShutdownPrivilege	1560	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	1560	mousocoreworker.exe
Token: SeShutdownPrivilege	3956	RuntimeBroker.exe
Token: SeShutdownPrivilege	1560	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	1560	mousocoreworker.exe
Token: SeAssignPrimaryTokenPrivilege	2292	svchost.exe
Token: SeIncreaseQuotaPrivilege	2292	svchost.exe
Token: SeSecurityPrivilege	2292	svchost.exe
Token: SeTakeOwnershipPrivilege	2292	svchost.exe
Token: SeLoadDriverPrivilege	2292	svchost.exe
Token: SeSystemtimePrivilege	2292	svchost.exe
Token: SeBackupPrivilege	2292	svchost.exe
Token: SeRestorePrivilege	2292	svchost.exe
Token: SeShutdownPrivilege	2292	svchost.exe
Token: SeSystemEnvironmentPrivilege	2292	svchost.exe
Token: SeUndockPrivilege	2292	svchost.exe
Token: SeManageVolumePrivilege	2292	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2292	svchost.exe
Token: SeIncreaseQuotaPrivilege	2292	svchost.exe
Token: SeSecurityPrivilege	2292	svchost.exe
Token: SeTakeOwnershipPrivilege	2292	svchost.exe
Token: SeLoadDriverPrivilege	2292	svchost.exe
Token: SeSystemtimePrivilege	2292	svchost.exe
Token: SeBackupPrivilege	2292	svchost.exe
Token: SeRestorePrivilege	2292	svchost.exe
Token: SeShutdownPrivilege	2292	svchost.exe
Token: SeSystemEnvironmentPrivilege	2292	svchost.exe
Token: SeUndockPrivilege	2292	svchost.exe
Token: SeManageVolumePrivilege	2292	svchost.exe
Token: SeAuditPrivilege	2492	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2292	svchost.exe
Token: SeIncreaseQuotaPrivilege	2292	svchost.exe
Token: SeSecurityPrivilege	2292	svchost.exe
Token: SeTakeOwnershipPrivilege	2292	svchost.exe
Token: SeLoadDriverPrivilege	2292	svchost.exe
Token: SeSystemtimePrivilege	2292	svchost.exe
Token: SeBackupPrivilege	2292	svchost.exe
Token: SeRestorePrivilege	2292	svchost.exe
Token: SeShutdownPrivilege	2292	svchost.exe
Token: SeSystemEnvironmentPrivilege	2292	svchost.exe
Token: SeUndockPrivilege	2292	svchost.exe
Token: SeManageVolumePrivilege	2292	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2292	svchost.exe
Token: SeIncreaseQuotaPrivilege	2292	svchost.exe
Token: SeSecurityPrivilege	2292	svchost.exe
Token: SeTakeOwnershipPrivilege	2292	svchost.exe
Token: SeLoadDriverPrivilege	2292	svchost.exe
Token: SeSystemtimePrivilege	2292	svchost.exe
Token: SeBackupPrivilege	2292	svchost.exe
Token: SeRestorePrivilege	2292	svchost.exe
Token: SeShutdownPrivilege	2292	svchost.exe
Token: SeSystemEnvironmentPrivilege	2292	svchost.exe
Token: SeUndockPrivilege	2292	svchost.exe
Token: SeManageVolumePrivilege	2292	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
3488	Explorer.EXE
3488	Explorer.EXE
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
3488	Explorer.EXE
3488	Explorer.EXE
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
5064	taskmgr.exe
3488	Explorer.EXE
3488	Explorer.EXE
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3488	Explorer.EXE
3488	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 3936	4320	HWID Checker.exe	87
PID 4320 wrote to memory of 3936	4320	HWID Checker.exe	87
PID 4320 wrote to memory of 3936	4320	HWID Checker.exe	87
PID 4320 wrote to memory of 3936	4320	HWID Checker.exe	87
PID 4320 wrote to memory of 3936	4320	HWID Checker.exe	87
PID 4320 wrote to memory of 3936	4320	HWID Checker.exe	87
PID 4320 wrote to memory of 3936	4320	HWID Checker.exe	87
PID 4320 wrote to memory of 3936	4320	HWID Checker.exe	87
PID 4320 wrote to memory of 3936	4320	HWID Checker.exe	87
PID 4320 wrote to memory of 3936	4320	HWID Checker.exe	87
PID 4320 wrote to memory of 3936	4320	HWID Checker.exe	87
PID 3936 wrote to memory of 616	3936	dllhost.exe	5
PID 3936 wrote to memory of 668	3936	dllhost.exe	7
PID 3936 wrote to memory of 952	3936	dllhost.exe	12
PID 3936 wrote to memory of 392	3936	dllhost.exe	13
PID 3936 wrote to memory of 516	3936	dllhost.exe	14
PID 668 wrote to memory of 2524	668	lsass.exe	46
PID 3936 wrote to memory of 860	3936	dllhost.exe	15
PID 3936 wrote to memory of 1056	3936	dllhost.exe	17
PID 3936 wrote to memory of 1080	3936	dllhost.exe	18
PID 3936 wrote to memory of 1180	3936	dllhost.exe	19
PID 3936 wrote to memory of 1204	3936	dllhost.exe	20
PID 3936 wrote to memory of 1244	3936	dllhost.exe	21
PID 3936 wrote to memory of 1332	3936	dllhost.exe	22
PID 3936 wrote to memory of 1340	3936	dllhost.exe	23
PID 3936 wrote to memory of 1380	3936	dllhost.exe	24
PID 3936 wrote to memory of 1452	3936	dllhost.exe	25
PID 3936 wrote to memory of 1524	3936	dllhost.exe	26
PID 3936 wrote to memory of 1532	3936	dllhost.exe	27
PID 3936 wrote to memory of 1664	3936	dllhost.exe	28
PID 3936 wrote to memory of 1700	3936	dllhost.exe	29
PID 3936 wrote to memory of 1756	3936	dllhost.exe	30
PID 3936 wrote to memory of 1804	3936	dllhost.exe	31
PID 3936 wrote to memory of 1812	3936	dllhost.exe	32
PID 3936 wrote to memory of 1904	3936	dllhost.exe	33
PID 3936 wrote to memory of 1912	3936	dllhost.exe	34
PID 3936 wrote to memory of 1980	3936	dllhost.exe	35
PID 3936 wrote to memory of 2008	3936	dllhost.exe	36
PID 3936 wrote to memory of 1424	3936	dllhost.exe	37
PID 3936 wrote to memory of 2088	3936	dllhost.exe	39
PID 3936 wrote to memory of 2264	3936	dllhost.exe	40
PID 3936 wrote to memory of 2292	3936	dllhost.exe	41
PID 3936 wrote to memory of 2344	3936	dllhost.exe	42
PID 3936 wrote to memory of 2352	3936	dllhost.exe	43
PID 3936 wrote to memory of 2396	3936	dllhost.exe	44
PID 3936 wrote to memory of 2492	3936	dllhost.exe	45
PID 3936 wrote to memory of 2524	3936	dllhost.exe	46
PID 3936 wrote to memory of 2628	3936	dllhost.exe	47
PID 3936 wrote to memory of 2644	3936	dllhost.exe	48
PID 3936 wrote to memory of 2832	3936	dllhost.exe	49
PID 3936 wrote to memory of 2848	3936	dllhost.exe	50
PID 3936 wrote to memory of 3044	3936	dllhost.exe	51
PID 3936 wrote to memory of 2120	3936	dllhost.exe	52
PID 3936 wrote to memory of 2536	3936	dllhost.exe	53
PID 3936 wrote to memory of 3380	3936	dllhost.exe	55
PID 3936 wrote to memory of 3488	3936	dllhost.exe	56
PID 3936 wrote to memory of 3604	3936	dllhost.exe	57
PID 3936 wrote to memory of 3800	3936	dllhost.exe	58
PID 3936 wrote to memory of 3956	3936	dllhost.exe	60
PID 3936 wrote to memory of 3556	3936	dllhost.exe	62
PID 3936 wrote to memory of 5036	3936	dllhost.exe	65
PID 3936 wrote to memory of 4008	3936	dllhost.exe	67
PID 3936 wrote to memory of 3712	3936	dllhost.exe	68
PID 3936 wrote to memory of 2684	3936	dllhost.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:392
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{99098c81-cd91-482a-9161-664650723a92}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3936

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1180
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1380
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:2832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Modifies Internet Explorer settings
PID:1812
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x3d4 0x3c4
  2⤵
  PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2008

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2848

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3380

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3488
- C:\Users\Admin\AppData\Local\Temp\HWID Checker.exe
  "C:\Users\Admin\AppData\Local\Temp\HWID Checker.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "$77HWID Checker.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\HWID Checker.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4132
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb236a46f8,0x7ffb236a4708,0x7ffb236a4718
      4⤵
      PID:2956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,9105050755415837766,9948367781040983152,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
      4⤵
      PID:2480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,9105050755415837766,9948367781040983152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
      4⤵
      PID:3748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,9105050755415837766,9948367781040983152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
      4⤵
      PID:1372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9105050755415837766,9948367781040983152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
      4⤵
      PID:4280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9105050755415837766,9948367781040983152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
      4⤵
      PID:1068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9105050755415837766,9948367781040983152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
      4⤵
      PID:4328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9105050755415837766,9948367781040983152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
      4⤵
      PID:3412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2068,9105050755415837766,9948367781040983152,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5136 /prefetch:8
      4⤵
      PID:1164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2068,9105050755415837766,9948367781040983152,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5304 /prefetch:8
      4⤵
      PID:3692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,9105050755415837766,9948367781040983152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:8
      4⤵
      PID:3684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,9105050755415837766,9948367781040983152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:8
      4⤵
      PID:1188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9105050755415837766,9948367781040983152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
      4⤵
      PID:4596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9105050755415837766,9948367781040983152,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
      4⤵
      PID:948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9105050755415837766,9948367781040983152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
      4⤵
      PID:3548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9105050755415837766,9948367781040983152,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
      4⤵
      PID:3412
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3800

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:5036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2684

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2540

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:8

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1736

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4552

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4556

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 04737f1d17fe294ebc873dce3918d8d6 tS5/P0Mzg0qS33Si/bNfoA.0.1.0.0.0
1⤵
PID:4528
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1356

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:2944

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2128

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2144

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:2308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery