orcus | 6eb1179500bba11bb328612e0938cd5753d6569a45882a0ecc210f29fa5a7d54

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	UZI.exe

Executes dropped EXE 1 IoCs

pid	Process
4620	ajhxf1eg.0mo.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 3 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
4824	UZI.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\631a2839-6d75-41b3-8208-209d15cef915	lsass.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	lsass.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\Preferred	lsass.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 27 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02xhkkriycidaqod	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2045521122-590294423-3465680274-1000\02vykofsqhkcdfvj\DeviceId = "<Data><User username=\"02VYKOFSQHKCDFVJ\"><HardwareInfo BoundTime=\"1737691134\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1737691213"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2045521122-590294423-3465680274-1000\02vykofsqhkcdfvj\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02fcyzceuqjvfcsp\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2045521122-590294423-3465680274-1000\02vykofsqhkcdfvj\DeviceId = "<Data><User username=\"02VYKOFSQHKCDFVJ\"><HardwareInfo BoundTime=\"1737691136\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000039281a63756db3418208209d15cef91500000000020000000000106600000001000020000000c463a368e8fd5062ae6730f39d79b1fd4a8c8dd0bd1f15cff1d8d79030724556000000000e80000000020000200000003b6ca3e717b672f2424d41969cc54e9f31e1bae8b62f481efcd978e53ea39704b0030000ec020458d9d797430f3f843e34183aa85d4d563112c6d47995dd459c45e2877cdea5345d049d63db2faddbbac9ae6beb4d08a24c5433bddf02a0fd9b3c8af3c7c38a20ee476b64e62e1bbb36fdfaea02d06d28834365d7d490bcbc79285afdbcfa584e0eff2be3ae251bb83a2960b7ca06f07d013de7a0153df5a24c90ff609971e5950dfe852a73fa947fdcec15fb6ace2f98412ae477b353654c25b4f67e4a65304cb819e5ad3670afdf0bddce913de0c7528ceeaa5417c7762f693ec0a4d711ff6ed8b514f2364ef74931b4e24cbf7fd0520298736342a6223408e003864df3b3d7d067da7e46427d0e09ba3a895a387e7c2839ab7666b67f1b99a5338b68c88815408184117b02e14c02abb5e79be9318fc68af8e23a317073f117925cc7d4a38474eea9110109ed97b95408f16199dea2eed345e5e9a4dd6d42dc55a345ce57e55afe0d2e441671882cb94880f1ffb3de9dc15f6574f76c03f6639669ecc4ea9e183159d80d903ddbc5da941a79ef6c2489122d6f7a348548e4ee2d65d2794d2885e45cb37b13c79ba748da02c4b3f6496055f20a73c7ddd6eeb103fdea2519bbd0fe6c73b5dff3f096bcad8ddeb0a943a5fdec6a57bfca761a915931b5a1ef71bb17868111ce37dc24fecebc8f2cdaaecb5687dd1b65bacf90e36cea08d03149ba85a408ef316f5d1a0a3d36b1140c903a25dc79d073a6ca2aa2a400103a7aaf2750d5d847338361279cee7f01092395a9a9dd50da4e4519b00757e3e18d6496a7d8b5bc1409713af5be0846f2d713184127c20645651a6b1bcc77ca72425dcac785b22d1b142e58929839f45cf94372b8a7de7bab7f06ebc35135234a7d7ced44ba917bf7d98b3d300f5afd1b5513b257f0921dfe7f0970df06b89d5c206c9f19d04739e9452af5fb5c60e60ba1e5c3bacc616893393eb4e5d3e86490a29d612e5ca9320dde4ca9f445c45f7524be7682456450c65e2a4797b158990f998acda0df51dc2f568cc9bd12056e3c2ecc2f4b381372844ce6f5bc96fca2cd64442ed3c134b925ecb185e5ac562f5f7c2d5d226148a40647ec8f8087e6310d784a29015d7b3e2d8a696dae193e97a2086b716712ddc0a3b251fbff06360b00a957b087fb363d77e09df924f06396fb28f5102ad55d209657f6a8606da4cf94603cc8e3f69d2fbedeb90888bfb3ea8c7d7909ff315cb614cd60ee9d976ea0bcff4a4a0ddecae9ee228166fd1cf905cc25d592822e7d62295a9661fd57ff0f58ba2cd293784369523891fd84a5468ee94f0f006314f40f791dd698de411ba98c8b1b6ebb24992149ba8cb932d184dc3240000000a234b21284a5a6978aa20531ec7751c64e5a3d87b531b513f5990fa632873f2dd8d167ea7cff1c30c1eca2e4dce7e6164e1c39a51f1bfd1c8d86f41750a922b2	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02xhkkriycidaqod\Response Friday, January 24, 2025 03:58:48 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAtgObx3spkUaDMBQ8ZqdLOQAAAAACAAAAAAAQZgAAAAEAACAAAABV6qE8EwM2KagdrHcJ89aentNA5ijlUpbJOl+mf/odPgAAAAAOgAAAAAIAACAAAAB14IX7Kz8S/SWJRkOs2a8RgQvndiXPReCPZe3C9YR1zYAHAACdE/d8hG3gMMtJ2bC0dKktF5pi9PpwEVJbsfuj5QZ62Ox/bRXuogseFbud+mzqEm6+kotcF152vvaOvbFrAgos+68QH0Ju9empJvfKuOtZUo615EYYCnUVgZgb6Klx4moUxq0Zgkhp7q6JjY5ujycfR9qtir1WKwEKPqmKFwEY8nWdY89mqaOKbrtZrZMW+DG/JOR4fygDaTozytU/X02FbEZbaehomzMzVAB5bdu1ZhSOqgDr502oO7FSV7aJobsYnts9LK7Bzt9wZgnjtEXjy0pNj5sCDIg9cfNQO7TCgrs0PtMyDSJtVvEvc32tRgrYgIK3l0UdQk+YWbKw5KXqf9ApUsL7uoqaNnmd5Qvi3JjhlsWcloUetK8OXGz/1cJeVpl7V5HAV/VS2AXqS0QcOX+O2UjwQZDDgd0Wjqlj47zzWEp8//CCxo9vwhnPJc62ay5chVGWAXbmrEiR+qLF04rppmRdedR+G3zAGLIGrhoO3m9VpqckrjaH5UVpuKbraP1rKmXo+KUDM+5MhBsgGXpuKB6reDdndzIVH+h66kILG2ZKoeoqn3JhG/RgmP/usqFf5p4GYM2CkXW5oQAvIbHjPwVU6rFZrGfWdlLytUZ1A2WBUvA3rps+s3Fu8C43eOgmmP5n6GXf7+E6izwsHHFHO9mLLpdqt6Aj8eKl5XEfIQX460Pb0M18L/Srz3OgTjhx8slouIxk+/KB1PhnCmqI6w4JIZEKaW48+OOpKGzGWOD7gCodwunPVAGYP482SwIsNlIWBe5F3nkg6UYWAjsm01bORGToRIPNMR1NM3g48lZeDub6Nvg492PBqHRGIxAgR7IlJck/8QBoxoRW8764OMo4+el5LcbvWvJksKP4Dq2YX5ObEXNmgmo/4XU2w2ke9SZ0YPOHpPeQ/tSZhXZBJfjZeQ4e0mEPM3ILWEexcbjC+m2jMSP7J8VMtmmBuayfBkDXPgQ6/+lXYvxCJ15/Yz7kFKleq3XJdxHQ8dScX41jcsMuxtcBsu+yzUVvM8jHsLC3726FmQKbN6tidZaFXV5kCpkLHhxAA7tnljOmgL2xw395S32GURZHevRIvZjatls+IB95Uye++O+pr6y6/VjWpdBlMkGDWW9oVYgWDirh7hWfivS8wHtMjPTz3SgYwbD5cVFnUynGGsxEC/SgL54tdZhvIR8KGFPSRt36xfXa5zZK5G5Ma7g/LSPwPHqPBbpMggc9anE7UIF+f8JiK9YHN6I6jBxHjA+e3pv5taKl0/hOrfRQuTHXJAHou3Xanpk1Iw7BF+Pzu/WgQ9zWEhsSkIhgMh/4pNNjHpJc6YdOdZoC/7vn0h0JjBFemNDa3oj35jf8jL3HyxyHj84MrcyVR5UNfVbjc6Mgu9nSSrIzM+2Idh3L85j0kWACAAB6PBdXBPgTHLQFKHq8dqi8m7HA4m/kntyuYrPcoI6Wq7SxuaODPgIEXAVh6xo7KHo3Gb7MeiOpXj4PYcaLOaJPnhGbhzr+FFU9yHVe1G4HwVH3Pvye9RBSET839jpvoVwGnZJ8kuLso62pSzOjoRqVyRMIrLQs0qy47URczdRtYG31Z/HmurQlkebUsd8EWGL9fxh1ypUqok9J6g40zXs26sXWJoitadjovLnIfulIlY1GqDSriekqAY4yVbug+ty/ZEvxYr6gPQlp6DEcp5qBKyPiChImGPthItFhiStDL0OkGiAY7tZsQtRUHiphwXjWghNLbWpGnA/1gtsKSD28sthq9g/yF7uFcdEEJYHfMaB3+37XfNH0oBTJHuClTPqpNnvfjwJCVFFpkNbx+csSauTvgq6rAH2Mpz8siOU7LPtzEbsUpSUTe27It8C6nSt2eKCcgMWs+sbWWwdI70Ie/ByYwQpTO9t2Eja/BV/nR+gGAKM6E3PY17vduUAbD06Fwg9Vm++x1Kt1VhM5oZwN5I5JNIpQ674vKAOv9VAiX1xk7qnBQBaPetcjxzPoGyXR+GVCpJOTtbZKmc07RQ7kwGJh3PSOmNh3/5kcOASZpAtrPax9TQU1J9t2IXP8Vb3crT00ZL7gHyGSmvv+zEoMxEfuhgPqLeSvmM7v41V5zAuH9p7nEPkNUlTyEPo8oWZFvWjE0VEnDlFrLcWgbiDwv8IpJhKjP9YQ/H/0ApXvKL21/nNaS9UBVC1maPSVPhlMl3QgbZVqSUEX1AZ0Zs4xYqMYoaVFRwRYLrM0//ZzI0GENyGROHICaz9RmJlGw2IESkFR/a0OR+NFYGUeXj1re4Ns4QGrLQ8tFO48VOpMQjxYlGZZImKtL/uLPgfa3EmvueZMz75E6qBYG4vkQtyVC1pyiNf3tej1LGVWJO8ZPIfZkCk13lDJqsI+27uU77ajcUMS5asMLbNMbus4hGzgx1yzGVja3EB6NlDX84crAnyGWNDXiSEUJkkRnTRbNsBOzPA9thCvcK1zhjSCVX4oqiAjz/Ubd4lrtJNR7U9pGYRJfLtWezoYQi7yznn8HrQ2R1Myly3ylUsOvhNMqWJffTob+jCMy7TEcBGacD2bJaX66TY7zpK+t8P7gzBAAAAAkgEGXfDXkeTZtGnvNYuf00kpB0XlKv2suSzYppFfqv9NTrJI7TD+pvy7ob0SstPNpsWYGVIZvNhUaJs4Zg/Slg=="	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02slpyrjmxqojasl\Provision Friday, January 24, 2025 03:58:43 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAOSgaY3Vts0GCCCCdFc75FQAAAAACAAAAAAAQZgAAAAEAACAAAADe9zeStnO4ovvShsU7pvwOEMGFLh0J4Mp9DQT16oHhiwAAAAAOgAAAAAIAACAAAADKj/A6wsoOExlmLE0MZ0RtQxOhD4gKuiZwJkjXCQ7fKCAAAAAjBpiGyZLA978F59R/GmcYvHMaABtEjmFMdmUfEQTVn0AAAACGWytbBfmpQJ00dl0z7FW2NWhrjcEqa6O8O/1HJVQ8BgiA6GlUiOf+zadc326KEXd5z8kThf3Qy9xIbzGrwYa5"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2045521122-590294423-3465680274-1000\02vykofsqhkcdfvj	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02fcyzceuqjvfcsp	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02jufgdisfqtpvux\AppIdList	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "0018001231F88657"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02slpyrjmxqojasl	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2045521122-590294423-3465680274-1000\02xhkkriycidaqod\Reason = "2147780641"	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION	wmiprvse.exe
File opened for modification	C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION	wmiprvse.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1400	SCHTASKS.exe
3948	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4520	WerFault.exe
4520	WerFault.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
3792	svchost.exe
3792	svchost.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4824	UZI.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe
4824	UZI.exe
4620	ajhxf1eg.0mo.exe
4620	ajhxf1eg.0mo.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3444	Explorer.EXE
620	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4824	UZI.exe
Token: SeDebugPrivilege	4620	ajhxf1eg.0mo.exe
Token: SeShutdownPrivilege	3444	Explorer.EXE
Token: SeCreatePagefilePrivilege	3444	Explorer.EXE
Token: SeShutdownPrivilege	3444	Explorer.EXE
Token: SeCreatePagefilePrivilege	3444	Explorer.EXE
Token: SeCreateGlobalPrivilege	4292	dwm.exe
Token: SeChangeNotifyPrivilege	4292	dwm.exe
Token: 33	4292	dwm.exe
Token: SeIncBasePriorityPrivilege	4292	dwm.exe
Token: SeShutdownPrivilege	3444	Explorer.EXE
Token: SeCreatePagefilePrivilege	3444	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2400	svchost.exe
Token: SeIncreaseQuotaPrivilege	2400	svchost.exe
Token: SeSecurityPrivilege	2400	svchost.exe
Token: SeTakeOwnershipPrivilege	2400	svchost.exe
Token: SeLoadDriverPrivilege	2400	svchost.exe
Token: SeSystemtimePrivilege	2400	svchost.exe
Token: SeBackupPrivilege	2400	svchost.exe
Token: SeRestorePrivilege	2400	svchost.exe
Token: SeShutdownPrivilege	2400	svchost.exe
Token: SeSystemEnvironmentPrivilege	2400	svchost.exe
Token: SeUndockPrivilege	2400	svchost.exe
Token: SeManageVolumePrivilege	2400	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2400	svchost.exe
Token: SeIncreaseQuotaPrivilege	2400	svchost.exe
Token: SeSecurityPrivilege	2400	svchost.exe
Token: SeTakeOwnershipPrivilege	2400	svchost.exe
Token: SeLoadDriverPrivilege	2400	svchost.exe
Token: SeSystemtimePrivilege	2400	svchost.exe
Token: SeBackupPrivilege	2400	svchost.exe
Token: SeRestorePrivilege	2400	svchost.exe
Token: SeShutdownPrivilege	2400	svchost.exe
Token: SeSystemEnvironmentPrivilege	2400	svchost.exe
Token: SeUndockPrivilege	2400	svchost.exe
Token: SeManageVolumePrivilege	2400	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2400	svchost.exe
Token: SeIncreaseQuotaPrivilege	2400	svchost.exe
Token: SeSecurityPrivilege	2400	svchost.exe
Token: SeTakeOwnershipPrivilege	2400	svchost.exe
Token: SeLoadDriverPrivilege	2400	svchost.exe
Token: SeSystemtimePrivilege	2400	svchost.exe
Token: SeBackupPrivilege	2400	svchost.exe
Token: SeRestorePrivilege	2400	svchost.exe
Token: SeShutdownPrivilege	2400	svchost.exe
Token: SeSystemEnvironmentPrivilege	2400	svchost.exe
Token: SeUndockPrivilege	2400	svchost.exe
Token: SeManageVolumePrivilege	2400	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2400	svchost.exe
Token: SeIncreaseQuotaPrivilege	2400	svchost.exe
Token: SeSecurityPrivilege	2400	svchost.exe
Token: SeTakeOwnershipPrivilege	2400	svchost.exe
Token: SeLoadDriverPrivilege	2400	svchost.exe
Token: SeSystemtimePrivilege	2400	svchost.exe
Token: SeBackupPrivilege	2400	svchost.exe
Token: SeRestorePrivilege	2400	svchost.exe
Token: SeShutdownPrivilege	2400	svchost.exe
Token: SeSystemEnvironmentPrivilege	2400	svchost.exe
Token: SeUndockPrivilege	2400	svchost.exe
Token: SeManageVolumePrivilege	2400	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2400	svchost.exe
Token: SeIncreaseQuotaPrivilege	2400	svchost.exe
Token: SeSecurityPrivilege	2400	svchost.exe
Token: SeTakeOwnershipPrivilege	2400	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
3444	Explorer.EXE
3444	Explorer.EXE
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
3444	Explorer.EXE
3444	Explorer.EXE
620	taskmgr.exe
3444	Explorer.EXE
620	taskmgr.exe
3444	Explorer.EXE
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
3444	Explorer.EXE
620	taskmgr.exe
620	taskmgr.exe
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE
3444	Explorer.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4124	RuntimeBroker.exe
3444	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 4620	4824	UZI.exe	85
PID 4824 wrote to memory of 4620	4824	UZI.exe	85
PID 4824 wrote to memory of 1400	4824	UZI.exe	86
PID 4824 wrote to memory of 1400	4824	UZI.exe	86
PID 4620 wrote to memory of 636	4620	ajhxf1eg.0mo.exe	5
PID 4620 wrote to memory of 692	4620	ajhxf1eg.0mo.exe	7
PID 4620 wrote to memory of 976	4620	ajhxf1eg.0mo.exe	12
PID 4620 wrote to memory of 396	4620	ajhxf1eg.0mo.exe	13
PID 692 wrote to memory of 2572	692	lsass.exe	47
PID 4620 wrote to memory of 428	4620	ajhxf1eg.0mo.exe	14
PID 4620 wrote to memory of 932	4620	ajhxf1eg.0mo.exe	15
PID 4620 wrote to memory of 1036	4620	ajhxf1eg.0mo.exe	16
PID 4620 wrote to memory of 1048	4620	ajhxf1eg.0mo.exe	17
PID 4620 wrote to memory of 1128	4620	ajhxf1eg.0mo.exe	19
PID 4620 wrote to memory of 1216	4620	ajhxf1eg.0mo.exe	20
PID 4620 wrote to memory of 1232	4620	ajhxf1eg.0mo.exe	21
PID 4620 wrote to memory of 1344	4620	ajhxf1eg.0mo.exe	22
PID 4620 wrote to memory of 1360	4620	ajhxf1eg.0mo.exe	23
PID 4620 wrote to memory of 1368	4620	ajhxf1eg.0mo.exe	24
PID 4620 wrote to memory of 1392	4620	ajhxf1eg.0mo.exe	25
PID 4620 wrote to memory of 1420	4620	ajhxf1eg.0mo.exe	26
PID 4620 wrote to memory of 1524	4620	ajhxf1eg.0mo.exe	27
PID 4620 wrote to memory of 1568	4620	ajhxf1eg.0mo.exe	28
PID 4620 wrote to memory of 1660	4620	ajhxf1eg.0mo.exe	29
PID 4620 wrote to memory of 1700	4620	ajhxf1eg.0mo.exe	30
PID 4620 wrote to memory of 1792	4620	ajhxf1eg.0mo.exe	31
PID 4620 wrote to memory of 1840	4620	ajhxf1eg.0mo.exe	32
PID 4620 wrote to memory of 1856	4620	ajhxf1eg.0mo.exe	33
PID 4620 wrote to memory of 1868	4620	ajhxf1eg.0mo.exe	34
PID 4620 wrote to memory of 1948	4620	ajhxf1eg.0mo.exe	35
PID 4620 wrote to memory of 1972	4620	ajhxf1eg.0mo.exe	36
PID 4620 wrote to memory of 1468	4620	ajhxf1eg.0mo.exe	37
PID 4620 wrote to memory of 2072	4620	ajhxf1eg.0mo.exe	39
PID 4620 wrote to memory of 2228	4620	ajhxf1eg.0mo.exe	40
PID 4620 wrote to memory of 2400	4620	ajhxf1eg.0mo.exe	41
PID 4620 wrote to memory of 2440	4620	ajhxf1eg.0mo.exe	43
PID 4620 wrote to memory of 2448	4620	ajhxf1eg.0mo.exe	44
PID 4620 wrote to memory of 2516	4620	ajhxf1eg.0mo.exe	45
PID 4620 wrote to memory of 2564	4620	ajhxf1eg.0mo.exe	46
PID 4620 wrote to memory of 2572	4620	ajhxf1eg.0mo.exe	47
PID 4620 wrote to memory of 2584	4620	ajhxf1eg.0mo.exe	48
PID 4620 wrote to memory of 2592	4620	ajhxf1eg.0mo.exe	49
PID 4620 wrote to memory of 2968	4620	ajhxf1eg.0mo.exe	50
PID 4620 wrote to memory of 3040	4620	ajhxf1eg.0mo.exe	51
PID 4620 wrote to memory of 2772	4620	ajhxf1eg.0mo.exe	52
PID 4620 wrote to memory of 3132	4620	ajhxf1eg.0mo.exe	53
PID 4620 wrote to memory of 3164	4620	ajhxf1eg.0mo.exe	54
PID 4620 wrote to memory of 3352	4620	ajhxf1eg.0mo.exe	55
PID 4620 wrote to memory of 3444	4620	ajhxf1eg.0mo.exe	56
PID 4620 wrote to memory of 3592	4620	ajhxf1eg.0mo.exe	57
PID 4620 wrote to memory of 3784	4620	ajhxf1eg.0mo.exe	58
PID 4620 wrote to memory of 3976	4620	ajhxf1eg.0mo.exe	60
PID 4620 wrote to memory of 4124	4620	ajhxf1eg.0mo.exe	62
PID 4620 wrote to memory of 1480	4620	ajhxf1eg.0mo.exe	66
PID 4620 wrote to memory of 3184	4620	ajhxf1eg.0mo.exe	67
PID 4620 wrote to memory of 4628	4620	ajhxf1eg.0mo.exe	68
PID 4620 wrote to memory of 3412	4620	ajhxf1eg.0mo.exe	69
PID 4620 wrote to memory of 4028	4620	ajhxf1eg.0mo.exe	70
PID 4620 wrote to memory of 1652	4620	ajhxf1eg.0mo.exe	71
PID 4620 wrote to memory of 2132	4620	ajhxf1eg.0mo.exe	72
PID 4620 wrote to memory of 3740	4620	ajhxf1eg.0mo.exe	73
PID 4620 wrote to memory of 5000	4620	ajhxf1eg.0mo.exe	75
PID 4620 wrote to memory of 4564	4620	ajhxf1eg.0mo.exe	76
PID 4620 wrote to memory of 2100	4620	ajhxf1eg.0mo.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:636
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:396
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 396 -s 3504
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4520
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4292

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1128
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3132
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  PID:4792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1344

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1392
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1972

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2564

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2592

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3352

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:3444
- C:\Users\Admin\AppData\Local\Temp\UZI.exe
  "C:\Users\Admin\AppData\Local\Temp\UZI.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Users\Admin\AppData\Local\Temp\ajhxf1eg.0mo.exe
    "C:\Users\Admin\AppData\Local\Temp\ajhxf1eg.0mo.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4620
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "MasonUZI.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\UZI.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1400
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "MasonUZI.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\UZI.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3948
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1316
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:620
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  PID:2672
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  PID:1656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3592

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3784

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3976

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:4124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4628

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4028

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2132

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5000

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4564

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2100

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:3792
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 488 -p 396 -ip 396
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:2408

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:2180

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Enumerates system info in registry
- NTFS ADS
PID:2288

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:272

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe e723163ec8431713387ee4b240fb5fe7 B8oxsRWli02s8d7CCcCStg.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:2616
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:4460

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Drops file in Windows directory
PID:1516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1380

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:3048

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4480

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:3540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:3604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3472

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
- NTFS ADS
PID:3172

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3188

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery