asyncrat | 0c4b7a3670f4ef5f7ba2d7e820cb3df837a72c08a4d039768b50617c06983308

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 62 IoCs

pid	Process
2972	cmd.exe
1376	svchost.exe
3156	cmd.exe
2948	SppExtComObj.exe
1160	svchost.exe
2932	svchost.exe
2728	svchost.exe
1740	svchost.exe
948	svchost.exe
4688	svchost.exe
1140	svchost.exe
3700	svchost.exe
1068	svchost.exe
4484	RuntimeBroker.exe
4088	RuntimeBroker.exe
1920	svchost.exe
672	lsass.exe
1908	svchost.exe
1308	svchost.exe
4064	RuntimeBroker.exe
1108	svchost.exe
3076	unsecapp.exe
316	dwm.exe
2284	svchost.exe
1688	svchost.exe
2076	spoolsv.exe
1988	TextInputHost.exe
4632	OfficeClickToRun.exe
888	svchost.exe
1280	svchost.exe
1472	svchost.exe
4028	StartMenuExperienceHost.exe
2844	svchost.exe
2448	svchost.exe
2644	svchost.exe
1460	svchost.exe
2836	sysmon.exe
2440	svchost.exe
1056	svchost.exe
2828	svchost.exe
1448	svchost.exe
64	svchost.exe
1440	svchost.exe
1832	svchost.exe
2124	svchost.exe
2616	sihost.exe
792	svchost.exe
2216	svchost.exe
1624	svchost.exe
440	svchost.exe
3392	svchost.exe
2856	svchost.exe
2796	taskhostw.exe
2196	svchost.exe
616	winlogon.exe
1992	svchost.exe
4748	svchost.exe
1792	svchost.exe
1300	svchost.exe
3584	Explorer.EXE
992	svchost.exe
3484	svchost.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Loads dropped DLL 15 IoCs

pid	Process
4332	sc.exe
380	TrustedInstaller.exe
1856	svchost.exe
4244	wmiprvse.exe
1084	Conhost.exe
3784	svchost.exe
1196	svchost.exe
3284	svchost.exe
904	mousocoreworker.exe
3480	backgroundTaskHost.exe
940	TiWorker.exe
876	backgroundTaskHost.exe
896	backgroundTaskHost.exe
1008	svchost.exe
4564	mousocoreworker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Admin\\AppData\\Roaming\\cmd.exe\""	cmd.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File created	C:\Windows\system32\ASChelp.dll	cmd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\ASChelp.dll	cmd.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File created	C:\Windows\system32\SleepStudy\user-not-present-trace-2024-12-29-21-20-54.etl	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk	DllHost.exe
File opened for modification	C:\Windows\system32\SleepStudy\user-not-present-trace-2024-12-29-21-20-54.etl	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
908	0oj3.exe
908	0oj3.exe
3040	cmd.exe
3040	cmd.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\cmd.exe	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\cmd.exe	cmd.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2276	sc.exe
4332	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02njoedzdentqcqq\Response Sunday, December 29, 2024 21:20:55 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAE/eHKJ8b4U6Hvo3CBP9xXQAAAAACAAAAAAAQZgAAAAEAACAAAAA6U2WDBo0k1evTOxnNwY9uWiDhWgbyeIV2nN1NuFGzpgAAAAAOgAAAAAIAACAAAAAFJYqDhcCziu/GjcaUx2qmeJKaMGGe34cURhG6QO7DF4AHAAC+7stkIgIxY3a8UNRbPtZoEVDsVk82sLlW0kyleSKckz57vrt+G9KPIS6r094znKpQAZKWQpn/wRTmSKGIw+cSBOnqqNEbzjmcPAcJsbsHl+CSmltVmePEVSz9cR4TGaK8bYVjcxx1CwFabl7bYBpwE/HIsKALLK8CUsDxC1cvZCGxm1M42s4K36Whi7hKIhoiJzD1DsrI8aBbxunQLyXyAZT90bamxrjYrY9zh5Lb6BMPWNR2pz+Ke0zXa8Iw16JV3Wc54dvz0673NaLK7n9aLJMI1V1PttndU2IuIxyDSeLW7NZVuhm5926lz/9SdeEkRO8/QVnygBl6+QS76JXDL0ODtrA6WatDpBbXuPEjpo4KswDh6JhHRSzG56WkBdNc4EcCtUH3k7mc9/LnU5X4ekKfuQ+OsLGQnn9x5PA+O8wEWuO5wPJ37Y/NwgvyMI738h68zhg+ZcFk2ncugXcq2ZPXQfsbrD4PSVI9oxXCiEgVedu3/7gaqbzJwRpJtS/isaq3dWghzhktdf+B6+Mow45PFC+w7wzlMd5VBOJlIy4M4KfTsg/0/u86GxIRRQXDObDYsXXVw7pBKdt1Tnfz8WIxnQYU/43S3+F/RoaBGv3Qw6utT7zUNITegvh2FuC5YtPM5DYgis2UCzj7ksrQ1gtZw3FW23cIgmlDzb05y8X541UVz/n8grSbPi56kNyVwK9ZoiEA+J0P1OJLNeUPFATgtq+2pjcBmgdV64sOOoYaeOZHWSY/5P4FMJVdV9Qk48/MnqE2GHK/gy136ADk0KWvCimjbXpyIvf1HjQi/RMP+ZwhXg2sTZoeQa9gJ6foT9Uvkzh9DzzxVg8zbYA1FrI9yClBTEEYsKmUI1N+wfH/FYpjZVYEud1Ncm2E/PgOgsFpRBf4rrGON3dnVtDOlcCEcBgHkNgN6CIutTomcvNcHUDYS9R0yqMazSBcK6XCCL9/BnZnB8taqM2QmFW5oUrH6TqdIlG/R6n0b6XKmjXPCnPHAS1uEqREN+6tK992S1zLFHA2M7lt6I9agZh8B6eWXQVMfucQ5eqEK8KyFGhyKHwauHJP4Tn8BzmXiJBStQThd8zYy0CHr61FrSr+psjKmn7Majelpw+Yo8I4NwlFnA52JfK/mGzf4HFlJMGzJG8qnAjbKnnDW/tkdWlsm5wNAS8Ji9z0Zw0D4x5OW10nbM5JHlCd9l3UPNtULbeel10VHJBKzJC7WjFkUbY692706SWv1R/sczMExM1WVYonqhCBhnymkocAkw0/GR5/FYmzhVa4NljpNuWQSSkf2HGBgnufqun43ZV0rmZOvUV13o9MxY9FphUbutdy6/42k1YvrrsDKFZfeBQrk0PqaIvL/hJChFhvJun6YU3OIY7/DHQYGBZ7PC1RuYHbDtEBK1CHXmffPkeaanMrNyhYSflJdTEfa8v2kqM2tdoAK14aBnBkcIYsxahltiMKS4ho9qjbeL+2dTB8C7euHnc9OcbA/4+TE2bc2q0tB1BPOTtDDI2zXJ/Q0jZd8BNtI/+iJ1nzL0r0NnQeg3h8KL91El45yEzDH2sOiZ6/S2lxIBRUjw0dMacP75FjVNF78jrMNPFyzpeWD4s9ZROJhPqlf8T+rQ3U9+8co6E4XQvy6/LiekkZB0gmEDMqUeplpzsSPyrKfvnDdxP+EHnjMF51i328Z6uAq4KPQ8gSa2IFzuDYdjILVRc49aMk7beWEZ9q8A/fj/Knbsa2EYIPbLieqi95FNvBnzsZHfU+3q69sdRi8EH3mM0tuVkoC3p/lP0ZXA2YoH36yHTZ/219fYzd6PDFXo90ic7fJ+6902SdF2Jbfstkw+A+a3BxY1WwVc5Tj2wCGf/NfyOkVLI+FqWrXucz9dc8dztgypPiM3lKIoO5XpmE6aTdUNy3QYgQduKnPxczbasC1PqU0ZpGrorBEpvY0yFLfFV8FL+Zc8eim8loISTTRQMSZjdOOquEXS+Sh+AHisSgRNYLeIG6vWlWuYjKhts6qSouI/Q+SszxDDxS+1ecH61MNzTj0JNxuSbugBoq/wA1i89zJ9DuvGi+pTeThv1uM7ztdmarIzoHF30ghD19UcteFxfqsBabQYj6oQBMXOF+M7Hb24joWk5HhVM5U+SiR+4SUR4MTf69gVBfgKj0cTJOe7w6EbCJ7tWZ3rPruFd2NJ494k+XtO+kiw9XetqYcZkTrlQ+lEHdWRH5XV3yVh/0U8c32C+ttiDZ6Q4IKBiM/b7WjVIXSk0i9G+T5hlVoYKHF7xUuz6x6cZJvwaSGFf25gGicwthnefQj0X5vE11/fhkcI1ntkc50ofAWaqKbLrjHkdsaT+s/oWz/TWh4m5PSNREUw6GG4RAPipI7eh1WX3a/0RzGSpgMCAw0dsDLybhzM9Aty/SA2wyBlVqTFiaN8M06Clx5vZs3DSTqebezUXtBWzLZhZS6mY/EzC2xFriI2ZY6fTejz2NzM3w8LezVA+yfbu6at1ioMQKK4IOsv/1XI6DvSS/uAtpk23HkwdTYWCZC/j4iXPcNlXcYEeiUSoDraMWGotAAAAAsAbzzCTXo3viHqlwhsoauY2dtJEQbqfwnp3Lz1gaOKYGHqKdVOyfAZDxdxrCd6YKlAOYQRI7Cxc9CSh+VJ9a4w=="	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2878641211-696417878-3864914810-1000\ValidDeviceId	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2878641211-696417878-3864914810-1000\02njoedzdentqcqq\Reason = "2147780641"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2878641211-696417878-3864914810-1000\02njoedzdentqcqq\AppIdList	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2878641211-696417878-3864914810-1000\02ahzsqkyllvtyix\DeviceId = "<Data><User username=\"02AHZSQKYLLVTYIX\"/></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 29 Dec 2024 21:16:26 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02njoedzdentqcqq\Request Sunday, December 29, 2024 21:20:55 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAE/eHKJ8b4U6Hvo3CBP9xXQAAAAACAAAAAAAQZgAAAAEAACAAAAB+jzU/lWvhdUg7S9r7QGrMgByZ2OeaecLGnhXSGuGOHgAAAAAOgAAAAAIAACAAAABa2mBhsoqcFGSf3h08gistcEeBlbVafYKYwwsXzBM0SbASAAAnV5jTmXfof2LEvRP1ZWZNS2S/bv0opzCUWC8J1wxz+9QjI6IyWgcKUy4I4sxsfxAH0b8nyG7NIvaunn9s3bNBuI1XmC8PTcqIrOsPg/AnyP+1VsrCMD1hOfxEFxykkFy4hQM144lMCwKTT1fSl/gETM26kAXlzzHxNAwtjPraxWr2heNZ+twiQLoxXgaGqUjiN6yr2GR1y1UJFoTBbfFoWcbu5VNNvXSO165Ab0MPP5UTmYwWdMuQje1Gh5AHayurwxEQHu5LK89Bm33yAcacSO1ePVVVmhTkIinwp668B5sNVxDBNMIBQuKvcP0ygY5c8YB2ikdKjJh5C1bpQCt5lZ80VseTN7yfjsV3lR/6JhTAPWcl0mlJuQspA7zpTrXNlcSNTNolyH8yzhsDN/h2kZr1CHCRfSIA/3Y+J14Budgw/SO2eQrmi6XSkTJD032x5sCR+zgahKPAqsYg9C+c82RQxaq/hIw6w8alWZj83CvLuX92Xs2sgFBV8ZoNq1PZplL8DUuQqNCurm0g5cvyzd4ZVZuQ344YPUKNxmw/HWo0iosVBImggNM+dfHNmsKJwBeztSmL7TR0cHDHWA0QeYmfGSbnM6vZMZqZVXSU1Ycu82ABwrdaLUxh9IAcQiLoRdCOE4TpBWXKRpdDsrgKWL1PmZ9yVWwlGSwzcWf+ppjHZFt+vA+PfvXBNZDwgI+HfPaeNJLGkrXswryue1pBvTVxfThmtkBAkLIycfaMN/sz13h//JFQgiURXhtc/DB5TDWaQVT5+CT7Qw3J69HTCJQpMMQl2dGCdgRzY7mRXTBIB6Up3iUHiCKfOAFGZuNZUd6ol7KY7J9SD9bWPs9VvFh2WdO6HnKxzQfLmwXVOlYui4q3JvD8DDUfUuB6nSf2rJcK+iVSziSQNF09mdlhtZJ2Xe05fwOrRqImC3luvDADUctPteMzV4SstCdzaFuOa4bsQsHyUp4k/ExoR9MWIriZXyNcUXWYGf9FpwZH2oA3yTAQQRXFWQLBEeI1i9YsyjXFjh6ENk7vA0hygqB0itE9UWeszRz8/f4oOb/eaICjUDxsOykv/rw/9RyLxVwnJNGbremY1pFgW8h8g+Mft9KRcLGe6a5pDzQqsXdsoO98mLkNSKJ6hn3QMCH+FDdIfld1WsikgkMX+FvP+flzKvN8Pts0hClH5WSE8VnUyEGkkJK5PFI9OZTYS/GLuJhp2iDlCL88r1RBCYJZYehznEk27EEyIBGTff6esh1dNEuikmGxQZah7FBwgfh0HckFAluqKoHrMa4FiQ1gmnmg4KWCrQ/JjBBJhiJ+9FzKQ5bSfyJ9/BPwYzdwVGwxlJQaeqSypfxIeH9Xk65B37D1e38NjR0VsE/y6UYJ1963gBbnhfl1mhlY11xGjvT0j5okSyxtKxKS1XdzDDVZGIMUk+IkDB/tm36PB1cBU0C8yflM0xD/iXpvOBdNEfZLNnK3f7UDkIcdd0Cdr0OYT6dPODDwoe/pDEk0cKDt0IznLLrAXKExiT8n/CyCDDBVqoZtkjIBui/28y58QjKLigSCW6jsLSZmTZFRzbO2gdYHQfXjMb3F5GFv63Hbu26doqbyMF3Ss0d/FQ128/7ExpPPIbZJ1zX3kqbNH+1WHr9n7w11xWUe5bvnE8fAlkOvZB+LQzEDvcM0bINAbPt1AB99o0I59qzOz9cYyW1hp2G4GOdNdySI+p/gQdMfvQuFvbZ4Cs1I9hDq0xzdtvyY4R1qa+BRgngy4Zq8w/m/xIZtxMUJqfB29eTVSil2AJQDNvtPZ8ShxDkTECUWbIZnMyyBGStQnCRrpZmoyBL8IMK/GWD6vTp+JhU5QuiohsIXXcw0RhBYuRyMWAlKbl99Zk4RGDulLJc7fqpJPizefZ2l54vAmMRae25jpjpi8V3geX0KGll2YvGS7OqPCjpyEP9EiSolb8VC5DPPD/+QSJhRkOEA3jPDE+14oSFPQY4caR4d9DkGsKlChB9gLpVOF2WCUyIkY5+b/tywikTSsy8L9ixJKnkms98l2Ag+FmcLIyQBq8S5HWHKKXrZGgavZZ43EGu/1pgBHmODBbVuDtQdFF/asr9WWslbMPJeEAUiqFH6bvC9ZPKX/nciTVKS4WtMNDwIcCPQ/Po232bS+ne9SxT8zl/eMm6+Txpl8R2qywoRLACODFFTo0gz2lsAorx3oq6st3ygoDv7/5hcITACOdyHr92sLsMPERLWujQlLeyVSyxwYlHcuR5Byziph0t9SavhjZQGcLBYZJeLe08dpEAMICs9Hcctp0Onw7urKUk3H0pJkHnFugRvV5G7ME13tWBqa1Fqj3mmR6H8aZffRWSOiRC0tYrn6HoQSjD7EgRnCCUjRW4RUBct5AkhVtlrmt+ImhEHqcIbmNbH9m3Q9GzzAhPLinaSyEI9WrvEsiqQQ6xEKzJGKhHBbQKteWwSH27bB1pweCfr7cl2JFoPqpyltMZ+EpZgbYzJ6XpFSCFrKSXe1P94GXR6i6XfT5stIq/vuMsL5cbDd3QP5QRPeJza7arIBMMHJLBPdlJhCkAqlihoHmLWqAJzHlrISZ3+YgeGX5FxSz5nUFcp3nDyI9EZzRJ5OCt5/jrX323IijdOCKODQrwwfcIlHy6GNyMm23HrlCKi+/VOF/8ImGLNrhkUF+1aj6NwUsUY6MiimDtXhxjoB9/iHtpy7MvsEDx3u8tuNEsMN4dAPsnEWuC3JNldFk1vFq9f1Sgokve8Z04CcYPpvapLLz9qKU6TTb+dlND1XOmwT+4r/X9coRezVUes+EqylTZ7qM4+Lfm2CYDhWlyHBo9Clzt4jGnSCnd/wwXcWdcqed+KxxAsGX4/WyCGS0rQqDi1nzGLA2YfxGCltXXymxDxP643umTni1xCdqbAFgKqsY5NYnfSugmJNXK4eYgLl2rfoQIDv4kj2f79GGRroRN8QXGq0CQfNvyNJS212plX+f2CkLfYlAOA9lTPE5U4scJIeK6xSPA+BTzj0aEzMt39soY0yIKXrOPAvAtNXhqfgk+6m1koVssoUa0a2VKw1Veb9s/ACrDZXNdxVNHCNx3BAlvF2nDgHvLbi7klXhRS9QhHsntqz/VPd00k6GuBTUR2Tpf3IJeEKqL02O5i5oioLbb/04QPo88QrjG/TJQwm7YS6EJrkVs12Rj2q9jydxk25V/gGsD6FPTrJy3I5NfgVOZUQgdNvUokBOHSXkyWo4jvstcmKxSaQZU27OEd1OYKOcZowqa/1Da/SP0n6PJVj3iRj+DGTKwSuRcAXcu6uGkvN4mjti+ph8hxb2CHNekTNnXRpb2odAXJqOmc642vI11cUhB/XzigMpxhEXnFeNi55RM4xHOmNGEuTveIBnPGAWyTqgmzc/HrdWl/a2DMrbLCoXTS8lOpYFe8zKJeqb0LH2OUuvOcbe2oVAwjfUVGiiM48iHtemsLtWuDJo/t9stSsBc2j7mEOzCrUTTifKjBvf8kClTzElgb9ppEnCb74ubPsMO0VUJtpd5fdSOx8clfQ+pgGbq7Kgjg8lVHEAyz+qBbAuUanQHM74adHprnbpjBdgHqnVqXcjJdmqtfiLHT4Qi1T4nC5B98ky1bzu0QF7diuHnzGma46Gjc35krGr852/EqGYlugci43ErrbMkr4AObYxXMXj/d0a/u3Oydg9bemzCbUgONir7RNroVXhLsCFwnIzhCCAUcstQLQZF29UfQ5nA3LvxXGdYqmjgPCEJAGjTfTDkjKYaMb6UXFZeTg8dQycQ3GZAm3iRaJMueYa3umFIFHHrAf9nUR2LFQtnAF+PnJiqDqVkU6bXY+0GgRtaQkYq7Opx28BBIV8H2YowZTfghVJWVaz5Z8BqwjG3/UwqAcPaP2PVhNbxl0a9FO/1m8W3hEVieieBAx6NjH0e/SI0VibhQS4o3jA9qm/buL8Ep4ks5ehMkm2eM4jOhhedErKaTKcfC/ZISU0uiTHw3QjRyNc9qHoOTMZQtasirZNmR1qqefy1Cb27TcjynmQqgVbsfyyWQwQAWbbeuyDgtzx5aqVzGdjvKNHNg+4iGEuw0Y62LHsEWcFwiWlI8STGOW46sdGmPsTZDDm9r9L2q0bzA1Q7A/2ZNHl0Uf8P0SRNk2jlGO88EWViNK/eiMhTzdH2tD4qO4KLnnw+d3Aj2e+n5P+RbfK1n3UnnRHmSazX9oaF0dg5VlJDo2CHZxx4taUrJf0/l5nsMzFr0UOrK3BlsKi2jHj5wV/2G8vUgAQ/lZIp85/WKmi+Ll9nbeQA5tth1x0dOxWZz/xk/sM9n59L4lbTO/W2FQikbKbjtFjbYIKfDV48BTN3MifgC85CfrWnEXgT8CqBG2w/e609Y0h0QlNPvCBFJCekyMUHjduJDy+x6wGetJoVdz0g9fDujPezeJVKrPCdyfoBOQ6p6GTJychHSUSyjFi5I612DoRUKkfXsCeos1uuZ+M94oR9EXvXjLUIxTB1jaLjrZOzO5mfY4jnx+uD7X7DwAQFF+zIWW08LHqexASazEEH0Wk+ZcCBopYdVe1aEfScDX+XPoex+dYXPC9LJxHWpBuPAqFwETl832/j4ACPBJMuCuiUf2G+J+l7zB4xnosstwctW0txqcmaHUR6I3HTNQmzhwCd5rtELx+waU8m5Pdn6IDV45aQMELslXrru4yyCH7KM4b+IxbWWsTA8Fmt2hTtZdxFYD8Fkm/kp2CFxq8srM8DOVaRQ738OFCSY8b4vJSkcqShMYSGbBJhdMgfWpXDNtcX/EL/7Imprh+EPPRFhrtjJ0NO8FzVtZ0GtH2GgtY8P5VVaBew81TBCvZUwVmz6qp3M+1mS97zM2dZtU49t71XxSUQqEu89k7mACvjy4ApCe9c/QAybxk7iAJ7fH0IOzKq969U1wVRyeH/OAHU48+350bXNW0z+5O8SeXfyfnmHk0yD7sJBTStqocjd0kCmXuorF6rjzAMhN7ehVLrtRBxDokHw0VH3Rt1r+K3SM8Er2Ya6wcABjEpJgX/b3vnJEEL0tiGuJ1nJOIK+crM61JzB7qQTRE2c4du+/YPXAVG14MvmNR9DhivK/6g+9uXjysIxycPVY0GOnzQqF0vviILjcM4Jr2nGAUwqpMlqPk9jbeh7m2dwjoIQDFVJlaCuzmfd1SfNlfSAsbucI1ncyb9xQagyJliERx6e58NHhuyR6hBtdJD/g2V6TieeNauqYAg38wnIyHlmy2OHsiLDbVdBb5YxjBj0JecOCuP9OctADF5yUNGzb6T68FnX9oJqjYJ8HsgCe4Di2eczxMvvfnVT7e1Gv9NqOt7GXNlT44BVLd0C98Cud1DuWEH3pi4ZWaCo9rvo01uVMp8pIW+lIFxl8qdSYe+N3kutBcJM+MJPyYoHgjkoWuUsfI2znxjtqJXHit90dKd22NH1wPyBDQUhnrI1rvNHDxnKWKe682QCJw9sSSfbKcFX3khfZ6aWq2ExOXp64Q5AtSI/ilrcs1qXcrDXkLyr7KggCNamFDPH9Jd03/YEVAC8N+aeQ6W20GCfXYOUvYL2RB8+aHBfMTA7OFM3/NrNX2vbZSQULh4Pv9EMSRLysPVGV6DbhKylsjto/ZFbXu07NN8Vn5TZ4ifvbn4CqJhBQJkWDpq0F2pl4RZDm653Tc0ZzG1MFc81NIPb9DUcMDVyNmsODg0DcshhEQtcG4R8Wf1kQuDZnDUd7ZAqdHt6esbkpEqd+4sjtBrVjZOq2uBtTQBGnyxrm2hh/rXghm06iU/8mZLlGlCtjxlpgxU042v/AS8ooUC8ucdnQbl772rYhek3gsrRIkq+YiH3ym9YuxTpyomm3EF7PLhqAsTlar4S3dvjpF3wcvpJ+uwjBepCaVUpnoVgk+fEs60ixnvv6ZSa4T6ilPYYMpqFCjdrSMUO3kRXkOpmLFWldmTlX3xY01UpjCqebvyq2vQWLLGWyW4VdUACUPef/mwnKAPRCaa4rV7o002frmR0eV1Q+SSuXQIl4vs9I9dSW3R5mK29LWmb+dyo2zbjgKUJj9+Xrbmk16RgDJ6BKnnnDua3i6LRB4fKPeFy1g0Il7UvSQhs8PhlI8UUglOy/IPdviJQrKvHxwdc2s0xKGlGgsze8YcDFpbb8D4aCtWGhYckW00sJVyYGeXm0Vf1rvj3r7rw+W/dahNmdQWILOjYYRtQdd5X5UziyLHTed9Kvndpaf5lvKuNY8wHhJTbP2tG6xudlQ94/uttRYSrdSEtiBjobOpRgvsdplwgvCea55FLGHN8I0Vh8YD8rbGyCoaSlhsgfsMHv3MOf0nnDrViXrSRGHbt9NSdNAtc5q6KyLlIlI0pozyB8NeFH7Ul2bt0rqfv4bqo449Z+X89OmsgaEAAAADFvSgMD+r6PK6t2jvOI9FlGsPdF1GoDYTFetNrR+skrqOk06p7r8QNNRzHA7taNi/Q8L3YEeBtwSOw3Oa1oiGR"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2878641211-696417878-3864914810-1000\02ahzsqkyllvtyix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2878641211-696417878-3864914810-1000\02ahzsqkyllvtyix\DeviceId = "<Data><User username=\"02AHZSQKYLLVTYIX\"><HardwareInfo BoundTime=\"1735507260\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1735506982"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={46D1E072-05E8-424B-81E4-41BBD7F0FDBC}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02njoedzdentqcqq	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2878641211-696417878-3864914810-1000\02ahzsqkyllvtyix\DeviceId = "<Data><User username=\"02AHZSQKYLLVTYIX\"><HardwareInfo BoundTime=\"1735507259\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2878641211-696417878-3864914810-1000\ValidDeviceId = "02ahzsqkyllvtyix"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2878641211-696417878-3864914810-1000\02ahzsqkyllvtyix\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe

Modifies registry class 26 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\MuiCache	backgroundTaskHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PTT = "133799809183688149"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133799808550742025"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133799808550273604"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133799808574648442"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133799805213169736"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133799808554023003"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	backgroundTaskHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133799805215669597"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PCT = "133799808548241963"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133799808548241963"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133799808572772965"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133799810994781290"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133799810996344760"	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
908	0oj3.exe
908	0oj3.exe
3040	cmd.exe
3040	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe
2972	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3584	Explorer.EXE

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
908	0oj3.exe
3040	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	cmd.exe
Token: SeDebugPrivilege	2972	cmd.exe
Token: SeShutdownPrivilege	4088	RuntimeBroker.exe
Token: SeShutdownPrivilege	4088	RuntimeBroker.exe
Token: SeAssignPrimaryTokenPrivilege	2216	svchost.exe
Token: SeIncreaseQuotaPrivilege	2216	svchost.exe
Token: SeSecurityPrivilege	2216	svchost.exe
Token: SeTakeOwnershipPrivilege	2216	svchost.exe
Token: SeLoadDriverPrivilege	2216	svchost.exe
Token: SeSystemtimePrivilege	2216	svchost.exe
Token: SeBackupPrivilege	2216	svchost.exe
Token: SeRestorePrivilege	2216	svchost.exe
Token: SeShutdownPrivilege	2216	svchost.exe
Token: SeSystemEnvironmentPrivilege	2216	svchost.exe
Token: SeUndockPrivilege	2216	svchost.exe
Token: SeManageVolumePrivilege	2216	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2216	svchost.exe
Token: SeIncreaseQuotaPrivilege	2216	svchost.exe
Token: SeSecurityPrivilege	2216	svchost.exe
Token: SeTakeOwnershipPrivilege	2216	svchost.exe
Token: SeLoadDriverPrivilege	2216	svchost.exe
Token: SeSystemtimePrivilege	2216	svchost.exe
Token: SeBackupPrivilege	2216	svchost.exe
Token: SeRestorePrivilege	2216	svchost.exe
Token: SeShutdownPrivilege	2216	svchost.exe
Token: SeSystemEnvironmentPrivilege	2216	svchost.exe
Token: SeUndockPrivilege	2216	svchost.exe
Token: SeManageVolumePrivilege	2216	svchost.exe
Token: SeShutdownPrivilege	4088	RuntimeBroker.exe
Token: SeAssignPrimaryTokenPrivilege	2216	svchost.exe
Token: SeIncreaseQuotaPrivilege	2216	svchost.exe
Token: SeSecurityPrivilege	2216	svchost.exe
Token: SeTakeOwnershipPrivilege	2216	svchost.exe
Token: SeLoadDriverPrivilege	2216	svchost.exe
Token: SeSystemtimePrivilege	2216	svchost.exe
Token: SeBackupPrivilege	2216	svchost.exe
Token: SeRestorePrivilege	2216	svchost.exe
Token: SeShutdownPrivilege	2216	svchost.exe
Token: SeSystemEnvironmentPrivilege	2216	svchost.exe
Token: SeUndockPrivilege	2216	svchost.exe
Token: SeManageVolumePrivilege	2216	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2216	svchost.exe
Token: SeIncreaseQuotaPrivilege	2216	svchost.exe
Token: SeSecurityPrivilege	2216	svchost.exe
Token: SeTakeOwnershipPrivilege	2216	svchost.exe
Token: SeLoadDriverPrivilege	2216	svchost.exe
Token: SeSystemtimePrivilege	2216	svchost.exe
Token: SeBackupPrivilege	2216	svchost.exe
Token: SeRestorePrivilege	2216	svchost.exe
Token: SeShutdownPrivilege	2216	svchost.exe
Token: SeSystemEnvironmentPrivilege	2216	svchost.exe
Token: SeUndockPrivilege	2216	svchost.exe
Token: SeManageVolumePrivilege	2216	svchost.exe
Token: SeAuditPrivilege	2828	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2216	svchost.exe
Token: SeIncreaseQuotaPrivilege	2216	svchost.exe
Token: SeSecurityPrivilege	2216	svchost.exe
Token: SeTakeOwnershipPrivilege	2216	svchost.exe
Token: SeLoadDriverPrivilege	2216	svchost.exe
Token: SeSystemtimePrivilege	2216	svchost.exe
Token: SeBackupPrivilege	2216	svchost.exe
Token: SeRestorePrivilege	2216	svchost.exe
Token: SeShutdownPrivilege	2216	svchost.exe
Token: SeSystemEnvironmentPrivilege	2216	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
896	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 3040	908	0oj3.exe	83
PID 908 wrote to memory of 3040	908	0oj3.exe	83
PID 3040 wrote to memory of 2972	3040	cmd.exe	90
PID 3040 wrote to memory of 2972	3040	cmd.exe	90
PID 2972 wrote to memory of 3728	2972	cmd.exe	93
PID 2972 wrote to memory of 3728	2972	cmd.exe	93
PID 3728 wrote to memory of 1956	3728	cmd.exe	95
PID 3728 wrote to memory of 1956	3728	cmd.exe	95
PID 2972 wrote to memory of 2276	2972	cmd.exe	96
PID 2972 wrote to memory of 2276	2972	cmd.exe	96
PID 2972 wrote to memory of 4332	2972	cmd.exe	98
PID 2972 wrote to memory of 4332	2972	cmd.exe	98
PID 2972 wrote to memory of 4332	2972	cmd.exe	98
PID 2972 wrote to memory of 1376	2972	cmd.exe	23
PID 2972 wrote to memory of 784	2972	cmd.exe	9
PID 2972 wrote to memory of 2948	2972	cmd.exe	71
PID 2972 wrote to memory of 776	2972	cmd.exe	8
PID 2972 wrote to memory of 380	2972	cmd.exe	91
PID 2972 wrote to memory of 1160	2972	cmd.exe	19
PID 2972 wrote to memory of 2932	2972	cmd.exe	52
PID 2972 wrote to memory of 2728	2972	cmd.exe	46
PID 2972 wrote to memory of 1740	2972	cmd.exe	30
PID 2972 wrote to memory of 3904	2972	cmd.exe	58
PID 2972 wrote to memory of 948	2972	cmd.exe	12
PID 2972 wrote to memory of 4688	2972	cmd.exe	69
PID 2972 wrote to memory of 1140	2972	cmd.exe	36
PID 2972 wrote to memory of 3700	2972	cmd.exe	57
PID 2972 wrote to memory of 1068	2972	cmd.exe	17
PID 2972 wrote to memory of 4484	2972	cmd.exe	64
PID 2972 wrote to memory of 4088	2972	cmd.exe	60
PID 2972 wrote to memory of 1920	2972	cmd.exe	34
PID 2972 wrote to memory of 4980	2972	cmd.exe	84
PID 2972 wrote to memory of 672	2972	cmd.exe	7
PID 2972 wrote to memory of 1908	2972	cmd.exe	33
PID 2972 wrote to memory of 1856	2972	cmd.exe	86
PID 2972 wrote to memory of 1308	2972	cmd.exe	22
PID 2972 wrote to memory of 4064	2972	cmd.exe	62
PID 2972 wrote to memory of 1108	2972	cmd.exe	18
PID 2972 wrote to memory of 3076	2972	cmd.exe	53
PID 2972 wrote to memory of 316	2972	cmd.exe	13
PID 2972 wrote to memory of 2284	2972	cmd.exe	41
PID 2972 wrote to memory of 1688	2972	cmd.exe	29
PID 2972 wrote to memory of 4244	2972	cmd.exe	88
PID 2972 wrote to memory of 2076	2972	cmd.exe	37
PID 2972 wrote to memory of 1988	2972	cmd.exe	75
PID 2972 wrote to memory of 4632	2972	cmd.exe	73
PID 2972 wrote to memory of 888	2972	cmd.exe	11
PID 2972 wrote to memory of 1084	2972	cmd.exe	85
PID 2972 wrote to memory of 1280	2972	cmd.exe	21
PID 2972 wrote to memory of 1472	2972	cmd.exe	27
PID 2972 wrote to memory of 4028	2972	cmd.exe	59
PID 2972 wrote to memory of 2844	2972	cmd.exe	50
PID 2972 wrote to memory of 2448	2972	cmd.exe	43
PID 2972 wrote to memory of 2644	2972	cmd.exe	45
PID 2972 wrote to memory of 1460	2972	cmd.exe	26
PID 2972 wrote to memory of 2836	2972	cmd.exe	49
PID 2972 wrote to memory of 2440	2972	cmd.exe	42
PID 2972 wrote to memory of 1056	2972	cmd.exe	16
PID 2972 wrote to memory of 2828	2972	cmd.exe	48
PID 2972 wrote to memory of 1448	2972	cmd.exe	25
PID 2972 wrote to memory of 64	2972	cmd.exe	68
PID 2972 wrote to memory of 1440	2972	cmd.exe	24
PID 2972 wrote to memory of 1832	2972	cmd.exe	32
PID 2972 wrote to memory of 2124	2972	cmd.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Executes dropped EXE
PID:616
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:776
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Executes dropped EXE
  PID:316

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Executes dropped EXE
PID:672

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies registry class
PID:792
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:3076
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3904
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3008
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  - Drops file in System32 directory
  PID:3056
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:4244
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  - Loads dropped DLL
  PID:904
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  - Loads dropped DLL
  PID:3480
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  - Loads dropped DLL
  PID:940
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3576
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:896
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  - Loads dropped DLL
  PID:876
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:652
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:4564
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
- Executes dropped EXE
PID:888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
- Executes dropped EXE
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
- Executes dropped EXE
PID:440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
- Executes dropped EXE
PID:992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
- Executes dropped EXE
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
- Executes dropped EXE
PID:1108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1196
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  - Executes dropped EXE
  PID:2796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
- Executes dropped EXE
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
- Executes dropped EXE
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
- Executes dropped EXE
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
- Executes dropped EXE
PID:1440
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Executes dropped EXE
  PID:2616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
- Executes dropped EXE
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
- Executes dropped EXE
PID:1460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
- Executes dropped EXE
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
- Executes dropped EXE
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
- Executes dropped EXE
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
- Executes dropped EXE
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Executes dropped EXE
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
- Executes dropped EXE
PID:1908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
- Executes dropped EXE
PID:1992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
- Executes dropped EXE
PID:1140

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Executes dropped EXE
PID:2076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
- Executes dropped EXE
PID:2124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Executes dropped EXE
PID:2196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
- Executes dropped EXE
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
- Executes dropped EXE
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
- Executes dropped EXE
PID:2844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
- Executes dropped EXE
PID:2856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
- Executes dropped EXE
PID:3484

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:3584
- C:\Users\Admin\AppData\Local\Temp\0oj3.exe
  "C:\Users\Admin\AppData\Local\Temp\0oj3.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    cmd.exe
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "cmd" /tr '"C:\ProgramData\cmd.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3728
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "cmd" /tr '"C:\ProgramData\cmd.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1956
    - - C:\Windows\System32\sc.exe
        
        "C:\Windows\System32\sc.exe" create AutoRunService binPath="C:\Program Files\cmd.exe" type=own start=auto
        5⤵
        Launches sc.exe
        
        PID:2276
    - - C:\Windows\System32\sc.exe
        
        "C:\Windows\System32\sc.exe" start AutoRunService
        5⤵
        Loads dropped DLL
        Launches sc.exe
        
        PID:4332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Executes dropped EXE
PID:3700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Loads dropped DLL
PID:3784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
- Executes dropped EXE
PID:64

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1300

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Executes dropped EXE
PID:4748

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
- Executes dropped EXE
PID:3392

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe d89fb4d4312bf42b06d1117d78b714f6 qu/j20JjzkeyCaYKwFvaxA.0.1.0.0.0
1⤵
PID:4980
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Loads dropped DLL
  PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1856

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Loads dropped DLL
PID:380

C:\Program Files\cmd.exe
"C:\Program Files\cmd.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Loads dropped DLL
PID:3284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery