orcus | 6e5aa4eae614ca049a1b2c8b803e6610b2b176a8e009ddad8df221c5899bb0ac

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	UZI.exe

Executes dropped EXE 1 IoCs

pid	Process
2944	oqrtgtd1.jt0.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\Preferred	lsass.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\d1122fd3-ca2e-4b30-a70e-a5378017f4d7	lsass.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\MasonUZI.exe	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	lsass.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 30 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02dmebvijkfpllqn\Provision Saturday, January 25, 2025 09:00:39 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA0y8S0S7KMEunDqU3gBf01wAAAAACAAAAAAAQZgAAAAEAACAAAADcJ+p/b0FsPWhiyOhlEQbC3reYnZFEqN2zQCWwNjFKzwAAAAAOgAAAAAIAACAAAAAFXvAkqoYj+KTZCACSkSpdYzO0AbOX7ZN4KMEVnU1+9CAAAAC/JsRdRg7e7H0YyAI1S1EnQEj+NuiHZ7fezdizZIZ6K0AAAAC1Mq6TPBctFfYvU1CmEtZt3liaID7xpdTS+/Nu3lOfHC7gRP4IOWskZe7KTKic6yKvah8K59yxYMrQ7Nb82SNS"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02inkxybzzticstj\AppIdList	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02dmebvijkfpllqn	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\001840114EBE2834 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d32f12d12eca304ba70ea5378017f4d7000000000200000000001066000000010000200000009bdc20b9621390f2e4d60b426a9f0bb62f383d0f4d89e51a6807868ab8093400000000000e8000000002000020000000037ac2a2ba9e334b38dd41ac830cc22159e9a2c55e257a9115993ee6605ed5df8000000089431aca6e7e59e20fcd0f1ed25a236acce37ca2bb4cde65bf43b8ef8e4298d6a1492a0aa8b9c905deabb316bc334ad9024dd977fe51a38c28225be0803220fa7f8ab4cfc98fed54a1403927ba9f9428e479a5145b30b022ed1d6b722a5b28ff175c17a3f59c3c6ca585383663914b2b3e985d0ee44e53dd282d4b4b29936cdb40000000382c9db78f52b88b9883e2bdebad5c4befd0d1ff1f39d303c6a9026a9a503b809221e135a5d9bd70ac72c4d1caa29e82a8974876199cc805801cac8940d1bc9b	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02bpaoculioqqvol	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-493223053-2004649691-1575712786-1000\02qckosqzcprbpdn\AppIdList	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02lriaqphlnqvfzi\Provision Saturday, January 25, 2025 09:00:32 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA0y8S0S7KMEunDqU3gBf01wAAAAACAAAAAAAQZgAAAAEAACAAAACm/FqTDX/ScQ5uZZTh9rL9dkiT3R/XMsMDOiau0KFU2gAAAAAOgAAAAAIAACAAAAAfL/I4GYxDVBM9qGsfcosTyacoh4bvxbQXT6V97olF+SAAAAA7a/SCfahOMU5Z2r3M0rpJNXRI0tc9omLZ2R9WOwntp0AAAACd94Tcn0N16Pg2XSOk80ElKL3rJRSNgamCy2BkcI3aF4icQmopMLlfzBI0a/WSIehg1WzlfJcR9VlH8PeRsoFj"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={CB617365-6ECA-496A-A0D7-824E15D2CACA}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-493223053-2004649691-1575712786-1000\02iglvylpfzmtrty\DeviceId = "<Data><User username=\"02IGLVYLPFZMTRTY\"><HardwareInfo BoundTime=\"1737795640\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "001840114EBE2834"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02qckosqzcprbpdn\Response Saturday, January 25, 2025 09:00:40 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAxdgFcA64XUO3kyFOiOsQOQAAAAACAAAAAAAQZgAAAAEAACAAAACla+1v+bEvoXwI3PgoWp8f1otH7qi+WassWlS95qsosgAAAAAOgAAAAAIAACAAAADTp5cp9OrMxslE1c/fwmlksZXR9KQhjrCHKSz49EvF6oAHAACV58MPa669Yra5xpDmqun+/wG42YAcyCCSpDf5TcmWKKhzQTgKNV4HlDO3Kw9cHS1LS9EL2Vy1LZdyDJ5Z4sg6iQ4Mv19aDJIynwOCHMs6XRuStYZwc/ies84PPw/N5tmaWgu6gqqaeqWbjb6/che01KIc4XVfyn85hmnHSRGVAnnF7yg7WjljLZcLKRirA1CiCTZbfZQ+/AclCBwc1nV5EYbd4Z61ACqd7T1uvKg/QTOUkt5cO57YiAbH+Kxta2E4OelKzXan/il5iC2423nBevikI/7kmimvy3IJyxQ7tzewkJngNMTZ+rPOhr8sg/UfEWUj6d0Mh2luMeGbXyJV5jtR2tzP1QgjLfkYpc9p7MOD8hqqeYjBVHNNgm+RlukS7HtpY1s4qzDl63nuEdnaw45wo/zlzCE+xtefX7N56Je7aNhiDBpVQDc8ahh9lgZrPK80jVKexz+BUBNDoMRARUuJndtwe2w8RLkZHi8AKUSOTamKtzuoIo1taqeX79HP8xzT4kAvWWednABMpvT69jNGa52lxrMaAV2IPaJZg6Ovqe1rXxzpC2LkPof8uLGJa/3UUbCSrjJzv3/t6d9SYpG/Ak00lvkHqrrv+CQWxgdAGMg9Ya4ATsgXrGw7BOBu30yK3qNYH4+Ad9d0p+qwZFFrXHYvmOPKppWd8BgE/nRfr4kP/5GHMI8yaeP1PoGdHs2vyin1A8Zdb3Li3KTqy8HvvoJ60ZfKBt6JEDtzec+rWg/hkZJSc7UAw6VWL3Z1Dq/BoPKC8PoZwJKh1tCYRDQPUiKC0YBrCkc+bs9LTp2QaPAMjacQeuc/plaakT3+z/On9R7R9QHDUPfsBBSNjHo/g+iLBKVAyF24+frbursI0u1tmdfL9S4xpe6eZ4hRjDrM8mVWbrAImiY8ids649o2/f4eGtDMaevkQjuTSWdyg5kzvIGqtpEpCzX7jQWnruaWZvpKFOg0hOxO77VTLvKYXJzcC14I4EVvRMzmK3lSp+0wjCJZrG+KahgNVgpzmz+F0tuqqodPew0Qp/Dff/sFzORwb7GA0BmS5UiFhcte6iHzzZtlzboaPkWGJu4FxgO0213HGovQJJPA7TlKueZHpGAT3XvfH47hb6/oNJYmDkmUp5WvF0NfBSbW/F+ICLlBHQ3DlriLxOnJefS9kArEvBqrOY9ZaaHG6Rrw3yNDT72tnrx9yQbRn396gM/gvkt3DtMfh8+JIaildlLMVbiKOL4aqk8BToOR11JTc0cIa36+424P5RQpqnTaak1pgnz/xaV/FdkLraFkLeGgcyZM8utT2srCzwa5l99QuugMK6IBrBQJeXl5rBN+mLJ3omS4ncGqHyydlMM2l/wi8Qj+WmdX8X0NxM/H9fGXv0AaIW4hoYpIvLiNwQMsDjXPmLf/XV9Bs/6EA5TKzEbZmdp8e1Fz3SircoQhBeKQC0/1+Y0KFtsEXJ80nVuaUS2RDAw1qxylBgKWSjSoSitned/CLhp2EIoCAXLk6d2FjszPxrX7/mBc61V5d8BasLahQTubZDKmzYrktnmK/xPjOP4B7CWF2a8cjp02DS/MZo7lgRpLmBLuBab+3jepT/EyqnC6V9nzMHeu4QMfL7SpY6JoZfAppbcYypVS5o6UYcaIRR9ZgQMLgoDXGCjU4rWCCVQ6UxKNqNCRpsq5b6HkFe0pb7g7ZMSQKqvj1xdlyl1rfEbWNofYXgguYaXjcTaH+wfikOsIXXZPS0rfo1ecDvFhfsdAcyg9Xs8viUaMZQLbiNgPOgFN45qvEKjqD+Du3MpFa5NJxFrVTyCiMMsfeEaNQ1gN0DMmtlcuS4vMnhEUIDYpOSIq6eGqoS6x2VLgfRIB5VRDv8nSQ2koiDh7vzaUaPr4ssoHVVtbn83Su26LUovFaUfKz20WKGEvDrNx6Isq4oDV4LSOVSh6Oxd16AXFi6a4iYcNf/d/2BXQ4K9rQv0apUJ73LDjw9iLconLIY2B+81yuv+xCp2CzJ8FIxuhHhVvbDgxseldxNZ7hBUxgwFngS2nTdilcZZw4QGmtnIW6J07G6klZgB8w68lYO9ALUFahmmjwLzrYqw+uSop+ScHahchQEVB1dIjclvT2RZy1x3JN5U8LVnU+XND6z0S4iWgUA2avASJ7jr3natf1m5YoYLp6XQlJfxU0ms0f1sHleFWt+j0SX4X3Jy8j0MZqXlqrRgECSRe/Qsk2lgpRiYDh3vm/GbYvxy6OF8Pl+Mr9IdjXWObe53Uo3pKA5rvfC6/rI1Sx4PfyqSvCURaEmDjzwr6k8lomFrCl1zUV9azWvMdVAyYMJ8skK7BG7NaCZSUZGFoz0j4v7hbM0xQPFlOS78HhKuWlQ+M9mp6BYOLw1wYjulgFc+D8PNuDJFm+2rCNf2QXD+0V0idru5xchmeGaRu7pCi1TiaFU2LoKcCdIPHcDjI3zJ0iuh26J630Cz10pqeX1JEhklMoemsoxeHYZ7UqdADla+HLrWrmLOCriP14+vBG4Zpok+bWbhXtwA9bSAVj9PAPBo2FPjObdBce2cGTv6O2M71sQFAAAAAbKJnlm16JBUvtKTLZByIr0lYfvgy6P3irjYsoi/hijBzRrmVIjNUzG55L55vxjPP97hsi36Hh3+XFI1OJjpqwQ=="	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02lriaqphlnqvfzi	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02dmebvijkfpllqn\DeviceId = "<Data LastUpdatedTime=\"1737795639\"><User username=\"02DMEBVIJKFPLLQN\"><HardwareInfo BoundTime=\"1737795640\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02dmebvijkfpllqn\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02qhvgcamqhyqfry\Provision Saturday, January 25, 2025 09:00:32 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA0y8S0S7KMEunDqU3gBf01wAAAAACAAAAAAAQZgAAAAEAACAAAACfuwITqqwRk9ZUgnEaCXYOW14Nw8khxQwJHpVQk3uihwAAAAAOgAAAAAIAACAAAADNpJT4yuWlOEe1USPd9cNXRvPcocpMFlTT4Q7iNbBCUCAAAAAew1UquTWQ5/KFyolniuVNHBR/leLWBlrbECSEMV4B00AAAACN15mjwHeLkq9eo4yox7/UYef5/XlQOc2H4M8tQoc+tbRP5AYY7tixVz3GKGLneqA75SK+bNsGp6MCyNt+lyay"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02bpaoculioqqvol\Provision Saturday, January 25, 2025 09:00:32 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA0y8S0S7KMEunDqU3gBf01wAAAAACAAAAAAAQZgAAAAEAACAAAAB5dZK1hAyRqWrPvDaU07rH+vhUY4cN5IvRPMz5uz4eegAAAAAOgAAAAAIAACAAAAAbbFlc/a8CA8oAzjufSWcdBt12Pr2xOkJY2VFku8WivyAAAADsZBRJvycBud0a40JulNeshJM3kALn8760zdZOu0qRjUAAAAA/xviiFYWNp3MvDzZeAz5RCQq7hWfQ+K0FQJZHvotXVgV68Vg9ouV/L/k1JS2d2ZlPn9e5FzkcSEm/QD2HIH6a"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02qckosqzcprbpdn\Request Saturday, January 25, 2025 09:00:40 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAxdgFcA64XUO3kyFOiOsQOQAAAAACAAAAAAAQZgAAAAEAACAAAAAX68HOX65D/3yRVsS/vuFZq2w20cLmmPAFzOHeVg1jjwAAAAAOgAAAAAIAACAAAAB4lm30BBwSramDGHfiJIUosdiyRR0B3n+GONGLWBeVhbASAABdNr+NLWBtzog+C7fOLGeHUtdZWZs9miS9t3UpW4vPg2Rdn4AxGAxw/dGtoIivic8Cq8q18FQaFskuOBEHikXCgQBP5oaur29cBROq4IGZ27gRuen0jbSkIWtMBxVhnCm/cofwANoHTDxBjuANbWk22KNFXxn7UvR103uANXIFyRhM9772UCreJVfdXXSMyfTb34p8B5wG/AxCLFx0P1xxFAFsC64ETRoopEOSPVIsW7rf0Prj0kciOre3u5WFfBWQ/lGk4R+giQsovessTR0DOm98hWeu/YiHEyCa0vEqEXgvqc0Xp63bY6gDL1q7XIVsD9C1ezkG2uUHmHxKyUXu4SD6eIYBbFjH0Sh/Tzu4hhlCf3q1yNUpiCG14QNuzGwTzR6c8i5cvyRg3FjEqfhaEoMCvgQ7hqMYVsgx87v+/L6ML99oRj5vTAWLl/uWcQ6MdHREbHHS6yAU5Fpf+QV0A5w5LobxJtj386tY99hZQMPtpmvjV0bh8tK1sDkIv5OvV8YxIIEA3m60KbQAvUQ96E1Y+XLJ2+4dI8pqJ0SjPeZ9rkQwMOakGOv/HJrePY2u433fFXge3oyqP88DU+/6C1N0S90QZjp6B1rQMCCeBdaVInGapAN4g+TeLPqouOuTS5L5DcCuygDlGbmxtlPGvEXflxdx1pONDHAsTm6famZInHPy+vq9oD7ABQN/rFVazFevfX976iURIsE/yjGExiGfCUFfvgR1tdHldC0vQBV2TxNmt7fQJ00C2l/wQNuoTm69nscBce83CxW+nmltcZ43uUFggryYhWOIHsR74IjiBA+lBaTvhvw3uRmGoGcAeyP23HiHGL2New/O8EipFlZvJ70SiM3Az6EmPYfd3ZojV3jdBwBip+At7Mpq3Lg4k0YTsxoo71kWtN4Daad7DtVChFmhpXG+8W9yHFsI4b9ARqTQ7aFsGbpFHb2f/mtH+oTwt0QOW5Yxz1pOGcetaIVqakzTsfGzRuca1Famd6bhwWnj+BZMgjvpm72uDpg8P8GcoFOKg9M146hsuHkv1pfoq1MN/7aaWp1CQYMaVcVn3BUOTlKtQXYIUHNLLMhE0d3kr/wWzSSY4ffJ+/+tGCgXIpI4L3ua5bmu2rULAWKia3QTe6QZpV4ETJKSXhOktftXc653dtSeLPfGgiyO1LwtJEgShgLwGDvW6B/55jhLJmT+Foodd0yQognpsIicwxZPe7bIxBnbLHS9fyIEHQ7n1nCIIagX5LhAGIrk6iCVGFxj3eUXa9m2cwCReFnqD6EVTKzaxvUxmyou6Y7d07BO9t5/kVNlqVVUNmVgGvbOS2+DByBXS3Obxynfu62yu9IlY7cj6KKbStKw3naq0FK5GTFGKyuKZmLjwU7V/4DiXONWS42dVoiphgSt+GrR1syncFLLL5YgIjZ09y9LkMr4pYljKiymo3iXxkV4+QMa0VhwkvWk0MFb3M0NINoM+gjR09OB+sm7zfuxb8r8pmibsGWf3woGQu6AA4M8JwXYdHepNVnbPn71xwOQtn8Rj2TPutV2FFBmYUXR0aumpTs2ksPPWBow9cmCUs024H2q+AkI3NrNPxFsRDKlMFuSyQVR48MUGiwF0ppgD1Tb4vsOjL4M/phrdXckXM6CUH9p92W0UmBNYjNcna8shD65XjMqhaBgDcMAagBmklfGQLlsC0uoMXH20sWK9liJ60EC3Mv1wZMM6rWCqIFzK5wM5K5ILQngC8ksCOjqrK6+PYbZ9yjmTAmsjA5Sevdb1ih5rUw5h+c5YnFNGTUftarl+VrMtStkDjhHK1Ec/GK2zPNCeuxBfu+7Obb0FD4WDoXHRrTspAgHfuGPIXs6/NqX1mToN6Gy9muZ2HH/8IjBhofFv6wMNF49EhxTueOcI2VdvAFNQNCQMRz66KGar2g4nxIY5gOBok/den+5rnUBfn8EgW6X0QZH+c2KefUjuaK9CCM4yhriCZOryYcg60MTQvZn4mScNvCUD8lCKKUGNh/Ma3ciSnR+qsZUAu3ttRDwV1brjkTPzAqOFMx7WYkSEO+v9I5G/f7v+PEBgP0uCbM8eWrLrDhGRiqGHQHSWxrfAT+vrX+Vw5bHG8OzsvV9wd+dvVNcF32ids63i97GmN+KQFeZUytyQIpMK62yBF2aP/xLYDs+RqSH6w2Cx+x8/E4oZ//xFJVX9rU4HvyTTL+BWTSZQ3Wx2jLpZJ3zByLnwUtMlF+fGRSj6NP3FcVbdUynItylotnyljE3F//NajKdfq3xWGeSfv+cvbcxRsFCjKQE6dFRbrykOHT7SssY6EkmNB1WHhYE3QAFx8h2oSudDlo3t8Mfj6Y69V6gGPnloA6fHDYTbvlBgg8vw8oSWrCtwLKAE2kvPX/FQhVTUc7drnqplM4o9Ijkyrwm6DzXM5Rx5UDNu0BHoDbscQmkTnRpx1d1QA24vUAy7MlBDK7bPj8BQPiGKYz3ZGO6UJnZXqKVwprM935jI8hvZQwtwboR1Oso9UhIfz6eujqvJOQyHo8LZb+Enqb58SLFjQ7EBkqUsU7Zzc1iIQCd9jRY+JUL1GDoWSZsqCu1UVILylvNzfblsa3QY0pgRZ1yHL+AhmS4sZtuvHbxT2jaOaQWOBajVE9xeU44oPpgyPvvMfdquec6fE7zEJ8dbP+oYakr7tJ9sraE4s1B4mY0UR+wIkBmALyQ1B3iOEKRn4DQEKy0rpeYq32eeD0MlZFWNV6HxF48ZMr7RdSqFKryqg6CREy/WcmYha6xrZP0G3vYrghtCzLHI63QxWsfSm7A7w3EdeMpmZ175fZbOnfi42WYIZZTfztjh6zQ7XwdNcE5INoOgsN6Yoa85EgcqczG0XlHGX2q/LqPsrbrpgpWDMSe21Dgyw/pU7oZ/4d8eZz5/mWFsoukYDKY10LtNo4S0xCMUMlyYvYrzgvdEwhWUyZqy4OGRI3le2cD/TSRnLiu7zPqGLOl0m5/mEuO6y8f0nNF/qAGNl/IDaub0dU95u2Nnru9fxJn2z2wxvuAze4frlqY5IwjaSzqJxpjAScuvCAfSL8dDPPCaB9Wnt7jnSv1THaf0LOkGnD/083gPUALcznmknWBtvCvHdwk4MyMQ1cehokXqbsUCncCXs/re2nFcUb3o0kYH57zEa2YCUrmQn0ZxPsHwDL2Ch/4VCasNKn9swX0rMeBkMFXu98ekwR/EEDtM8DmlqjC4ayqEeIXCxe//M6KIbsfwkSfxGWx6++gffYUy2BTZ2C0lH+L8ifA2Ts7pQ4NA2JHsbkXLeEheMqz0/tXUXBRSAqZNElYSd/dQm1R2f0EVLvDDB6nwkN2DRhTzoOuOPCL9SDyNSvYK8lieevDZe4e5ps4v84d24yKN5DILprcygzcfn57d6gJJtA0MuOKQaq3dDqw7KGN53nuQ8gyORVbPCviJngIvTQdyvzy35x36jDI2/qQkb5QiEOLQAHJMNUVKjkUkjf6yoFPsOEUB6It/gXjQCofA5G7Bo7nH8hKOaz5ceqJkbpvWfM4/Lizq+q24dw9gq/GbWukFknRwMdjYu32zTevGPv1w+SOQ8x+SB4yeoCHL+rd8jHrbYGYAeNs3tS5HIUNcDJY/kfOV1xU+ZVvFwfus8B2z7BG/Rl7m6tTzKnCJHX+rho+26Dy9SIdwWXk9/YfwN1nfZtmyiF9hC3V1iFSlb0wxlzUyXLYxoBkGXhZ36nfjbIpU88MTinZxTxsr58nGPC1uqGDBCEqWmHmpsy3N5T25ATHDZs98cU5W49x71vJ9bsEolOAxJhImx14y7jH+3ynfNPsBD4ugWVaDk2JwjlHklqnu5L7TYyIbr1S0Wwg5u8m77/9qDIjbDV8KLI2PHRhUFRsopYMCykRMJJxb6iBYnHxfZTI6e/QyyjBQPNyXgruWD0WI7xQu7qK5S/8dD9EenayhYCdM3IG/tf+bEr13AQnNE8ktZ9DqIjGi14DYhK+OeU5+hZYcSUGcq5rfsUxbRTS9OWZvYaBoVMor0niHqudITbiWq5OZCt+EQPWcQdWfzie1cIo9sk3EUYP/AaJU3b8ql7LcsKSgaUN80nbR+nzexuIq8JfIxnYuFfDUzzelIOZF+PWa63rCBLu2eLfsYL4UtSNtagVBn5rp//F9MfgG18fxeln6X+Bweg0EfLj+50FQ3VzyymWRHMQhof6g5AIjcYE+BC3SicQ71FxYiFUN5zbICEiAZ/YS5xd9By8TBKz9GtS2yP8i2EvgjoNZTKb7wH2WvR8PfAq5Ol6htPAtrDQtt5LDHVN2RRk/vtSdyoiV7HUZuSiKV5IKWdUsIgOMt64yaDyHXFajAbn/dj6/t1+RbYNUJceiRiV/3sOZaXm+tXogDXQnvyRYOFfVeoX6oHldKOsegktLU5TqMHN4wOWO4kbOBsiKe8azEcmR1KDROoCqiijx/x0LOteq6I1ryqyAPzz9QE3prchrzmGPphPJFipkl12ZTF26uFtCu6k5eddceOF2sMUgntnIyhnR53qbLRZlftCb+bq+wfPYk9uO7vXyfWaB39e+R30li/5Ue9AtwWmFf/CxNNWTp/efxF19yO1s7CdZN0cavRfkD0BczPe/Qb1i/iaH1k8krFGbROboNjd0GheEwcuH7qpcHff52wFb9Qny5Ho0emG0LQSDmKQekkFeZimZCXhm8MhXN9/zzA97Z5+AtGB7S4ND66DZedjTqC3ymoAWEsRHxKfpijuvMsLgihxCOJylnx5+92ngM94mIA/ymcEMJAQvHvq0PJje4zCLGp06TVkkUwrA6F1gvX9PJwi2M9j4qrp/PlVATSqgKbs5NnMZuGsUJpRkPA7ksOHYqjkfRoISEvD+sWXZB/ZuAxvGcFwQ0tZBkkU301Hh1xmRwcNfIEa5zxoHUIkUmnHm6/zg7qaZA6Ybd68dSt1+GmArY0pwqABd1rHJuZ3/1+qRiCGxoBppmim7Mt6Bk3RuTeGKZTvGga1iZFXu1hUJ3yGS4PYgaCA5xw30nH0w3mnzErwzdHLq6g19b4l+cR2T24DHX1SeNyO2JaM7HFpdV2ju2CV9Dt4Mc04hViHxl0o42xJMkyBHTlj8FT0N/nj7mpQyF12WvBYfyzUlZmVa31+mjcipgVQi8gdM5YdU4iMeqx5cW9Hq/nP2Ird+jx1TXMsKDj/A2e/GClH3Vie3lCiN5bQ7s6GHti4XT/YRaknzyP9hn6mp+x+c+4zNagRvI3w2B0rJLt7O/TCayJtZcgiiA06r7X7AeATbUW23GsMohv9PrmYTOFPoOw/bB0UIOUDTdC8wA375psLZc+hsJbvSUNH1DAhm7AAP1PcFmzDTQGA+YKqsDKKTsFqNsVVvOfwcd4/oRTCiOYCViP97RLPZ5uZBJQXd6DIt9LWWoicM2J3JybgXoaaChnkwVBU3WVkwfBftuFPXJNjMEeBN84SXBpth7zrfGjK5Vgs/3PEsgxFKFUjHxN+wnQTYsaAt6VteAvLhUbbvUrt+7UVDmNHdQfRCrT5yyDGqkqi6SHuEBXTl0SXYFu54XD1XVuibgDMGZpzex5WDmaKb+k25Q+G9haEaLi0RFaj+SFG7Ui9+s+eWdIHnL/OIWqvvh0eTpdtKhrU+DfM+Zyps8a6eLXBYqLSlT8MLpPbyxkHeyI2Ci8+e45V7ZiAUm9d3jPTOJPuDZRp6exC7Y5x7DjfiAoL6zMCi2EbxDB1MkDskr4BDJ1UpBrz9bTfzQCSrv7Ql25knWq6rXRnfIrwENYb1LayQwJTP1/kaJylhHA46dSlovKnWY56NDITBiNll4rz7//PmDvoTDvgZbvlKS6WSDSkURUFKDWnlX0L3yqstfYlcm/kqzDuFpu27gpLL4sbBhnR9CV+OaRdZiuve9+AQtA5HgizHxmaVm3JaoDRtUg8qJ1NSX7Q9YMIkxN5AzIVeCj2JFD+OxsvNr0SwhfmaudKpmR/T6GhbdZ+KSiXavTpaZ/khPKa+9KvgJ6sjJpTcyX950Vxl/rUbI7yquyhrws1w9nC6pNxR7QX38Jd1U89aUdzn3fZmaLl7lHlBDmxl7v4UJYp3z59o6GtP0bK2KvCKjKPLSknbL8idkFwFNbUilGJdcvpjBC+9V7wMu8z4tXkIX/fuYbw5vpVtaSv4vBEKucBbof7rRhw8o41KZaP7mq/goBEklpbwQTtM8IPgj2skX3DaKRhgHky7fM9C2+rC8IxyTiXppS1KBRx5oCjotjRdx8sj+RixVSjb9QFfQ+t/dUzGFV3LxbkuBhILAW7fQlUBWFcS+Zz9tXM/HkMswlvV0wDeEoo7ZhgwD9hOxQjVgHdjifWd3AinYbfqWBlal4+jU39Cil5qoOrRF8Bs0Ybr6njXm+TvkcDYFdXUkAAAAAbXsOjIug0KQdO5gnKm1UsOlnKBQGuT7LDF/zJtVotkvEYxUk8yroJDpp6nJyUUyXcs0qlhPkAR9VPveWjrTJw"	svchost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION	wmiprvse.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4004	SCHTASKS.exe
3256	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2204	WerFault.exe
2204	WerFault.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2428	svchost.exe
2428	svchost.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2648	UZI.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe
2944	oqrtgtd1.jt0.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	UZI.exe
Token: SeDebugPrivilege	2944	oqrtgtd1.jt0.exe
Token: SeShutdownPrivilege	1728	MusNotification.exe
Token: SeCreatePagefilePrivilege	1728	MusNotification.exe
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeCreateGlobalPrivilege	4924	dwm.exe
Token: SeChangeNotifyPrivilege	4924	dwm.exe
Token: 33	4924	dwm.exe
Token: SeIncBasePriorityPrivilege	4924	dwm.exe
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2364	svchost.exe
Token: SeIncreaseQuotaPrivilege	2364	svchost.exe
Token: SeSecurityPrivilege	2364	svchost.exe
Token: SeTakeOwnershipPrivilege	2364	svchost.exe
Token: SeLoadDriverPrivilege	2364	svchost.exe
Token: SeSystemtimePrivilege	2364	svchost.exe
Token: SeBackupPrivilege	2364	svchost.exe
Token: SeRestorePrivilege	2364	svchost.exe
Token: SeShutdownPrivilege	2364	svchost.exe
Token: SeSystemEnvironmentPrivilege	2364	svchost.exe
Token: SeUndockPrivilege	2364	svchost.exe
Token: SeManageVolumePrivilege	2364	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2364	svchost.exe
Token: SeIncreaseQuotaPrivilege	2364	svchost.exe
Token: SeSecurityPrivilege	2364	svchost.exe
Token: SeTakeOwnershipPrivilege	2364	svchost.exe
Token: SeLoadDriverPrivilege	2364	svchost.exe
Token: SeSystemtimePrivilege	2364	svchost.exe
Token: SeBackupPrivilege	2364	svchost.exe
Token: SeRestorePrivilege	2364	svchost.exe
Token: SeShutdownPrivilege	2364	svchost.exe
Token: SeSystemEnvironmentPrivilege	2364	svchost.exe
Token: SeUndockPrivilege	2364	svchost.exe
Token: SeManageVolumePrivilege	2364	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2364	svchost.exe
Token: SeIncreaseQuotaPrivilege	2364	svchost.exe
Token: SeSecurityPrivilege	2364	svchost.exe
Token: SeTakeOwnershipPrivilege	2364	svchost.exe
Token: SeLoadDriverPrivilege	2364	svchost.exe
Token: SeSystemtimePrivilege	2364	svchost.exe
Token: SeBackupPrivilege	2364	svchost.exe
Token: SeRestorePrivilege	2364	svchost.exe
Token: SeShutdownPrivilege	2364	svchost.exe
Token: SeSystemEnvironmentPrivilege	2364	svchost.exe
Token: SeUndockPrivilege	2364	svchost.exe
Token: SeManageVolumePrivilege	2364	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2364	svchost.exe
Token: SeIncreaseQuotaPrivilege	2364	svchost.exe
Token: SeSecurityPrivilege	2364	svchost.exe
Token: SeTakeOwnershipPrivilege	2364	svchost.exe
Token: SeLoadDriverPrivilege	2364	svchost.exe
Token: SeSystemtimePrivilege	2364	svchost.exe
Token: SeBackupPrivilege	2364	svchost.exe
Token: SeRestorePrivilege	2364	svchost.exe
Token: SeShutdownPrivilege	2364	svchost.exe
Token: SeSystemEnvironmentPrivilege	2364	svchost.exe
Token: SeUndockPrivilege	2364	svchost.exe
Token: SeManageVolumePrivilege	2364	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2364	svchost.exe
Token: SeIncreaseQuotaPrivilege	2364	svchost.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3396	Explorer.EXE
3396	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3576	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2944	2648	UZI.exe	83
PID 2648 wrote to memory of 2944	2648	UZI.exe	83
PID 2648 wrote to memory of 4004	2648	UZI.exe	84
PID 2648 wrote to memory of 4004	2648	UZI.exe	84
PID 2944 wrote to memory of 616	2944	oqrtgtd1.jt0.exe	5
PID 2944 wrote to memory of 672	2944	oqrtgtd1.jt0.exe	7
PID 2944 wrote to memory of 956	2944	oqrtgtd1.jt0.exe	12
PID 2944 wrote to memory of 64	2944	oqrtgtd1.jt0.exe	13
PID 672 wrote to memory of 2532	672	lsass.exe	45
PID 2944 wrote to memory of 440	2944	oqrtgtd1.jt0.exe	14
PID 672 wrote to memory of 2532	672	lsass.exe	45
PID 2944 wrote to memory of 612	2944	oqrtgtd1.jt0.exe	15
PID 2944 wrote to memory of 1028	2944	oqrtgtd1.jt0.exe	16
PID 2944 wrote to memory of 1072	2944	oqrtgtd1.jt0.exe	18
PID 2944 wrote to memory of 1092	2944	oqrtgtd1.jt0.exe	19
PID 2944 wrote to memory of 1164	2944	oqrtgtd1.jt0.exe	20
PID 2944 wrote to memory of 1268	2944	oqrtgtd1.jt0.exe	21
PID 2944 wrote to memory of 1276	2944	oqrtgtd1.jt0.exe	22
PID 2944 wrote to memory of 1300	2944	oqrtgtd1.jt0.exe	23
PID 2944 wrote to memory of 1400	2944	oqrtgtd1.jt0.exe	24
PID 2944 wrote to memory of 1416	2944	oqrtgtd1.jt0.exe	25
PID 2944 wrote to memory of 1472	2944	oqrtgtd1.jt0.exe	26
PID 2944 wrote to memory of 1548	2944	oqrtgtd1.jt0.exe	27
PID 2944 wrote to memory of 1568	2944	oqrtgtd1.jt0.exe	28
PID 2944 wrote to memory of 1644	2944	oqrtgtd1.jt0.exe	29
PID 672 wrote to memory of 2532	672	lsass.exe	45
PID 2944 wrote to memory of 1692	2944	oqrtgtd1.jt0.exe	30
PID 2944 wrote to memory of 1772	2944	oqrtgtd1.jt0.exe	31
PID 2944 wrote to memory of 1780	2944	oqrtgtd1.jt0.exe	32
PID 2944 wrote to memory of 1912	2944	oqrtgtd1.jt0.exe	33
PID 2944 wrote to memory of 1924	2944	oqrtgtd1.jt0.exe	34
PID 2944 wrote to memory of 1988	2944	oqrtgtd1.jt0.exe	35
PID 2944 wrote to memory of 2012	2944	oqrtgtd1.jt0.exe	36
PID 2944 wrote to memory of 1808	2944	oqrtgtd1.jt0.exe	37
PID 2944 wrote to memory of 2080	2944	oqrtgtd1.jt0.exe	39
PID 2944 wrote to memory of 2228	2944	oqrtgtd1.jt0.exe	40
PID 2944 wrote to memory of 2364	2944	oqrtgtd1.jt0.exe	41
PID 2944 wrote to memory of 2388	2944	oqrtgtd1.jt0.exe	42
PID 2944 wrote to memory of 2396	2944	oqrtgtd1.jt0.exe	43
PID 2944 wrote to memory of 2468	2944	oqrtgtd1.jt0.exe	44
PID 2944 wrote to memory of 2532	2944	oqrtgtd1.jt0.exe	45
PID 2944 wrote to memory of 2544	2944	oqrtgtd1.jt0.exe	46
PID 2944 wrote to memory of 2580	2944	oqrtgtd1.jt0.exe	47
PID 2944 wrote to memory of 2604	2944	oqrtgtd1.jt0.exe	48
PID 2944 wrote to memory of 2804	2944	oqrtgtd1.jt0.exe	49
PID 2944 wrote to memory of 2844	2944	oqrtgtd1.jt0.exe	50
PID 2944 wrote to memory of 2984	2944	oqrtgtd1.jt0.exe	51
PID 2944 wrote to memory of 3044	2944	oqrtgtd1.jt0.exe	52
PID 2944 wrote to memory of 700	2944	oqrtgtd1.jt0.exe	54
PID 2944 wrote to memory of 3296	2944	oqrtgtd1.jt0.exe	55
PID 2944 wrote to memory of 3396	2944	oqrtgtd1.jt0.exe	56
PID 2944 wrote to memory of 3516	2944	oqrtgtd1.jt0.exe	57
PID 2944 wrote to memory of 3732	2944	oqrtgtd1.jt0.exe	58
PID 2944 wrote to memory of 3888	2944	oqrtgtd1.jt0.exe	60
PID 2944 wrote to memory of 3576	2944	oqrtgtd1.jt0.exe	62
PID 2944 wrote to memory of 1804	2944	oqrtgtd1.jt0.exe	65
PID 2944 wrote to memory of 3928	2944	oqrtgtd1.jt0.exe	66
PID 2944 wrote to memory of 2100	2944	oqrtgtd1.jt0.exe	68
PID 2944 wrote to memory of 3884	2944	oqrtgtd1.jt0.exe	69
PID 2944 wrote to memory of 2912	2944	oqrtgtd1.jt0.exe	70
PID 2944 wrote to memory of 3428	2944	oqrtgtd1.jt0.exe	71
PID 2944 wrote to memory of 4244	2944	oqrtgtd1.jt0.exe	72
PID 2944 wrote to memory of 944	2944	oqrtgtd1.jt0.exe	73
PID 2944 wrote to memory of 316	2944	oqrtgtd1.jt0.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 64 -s 3656
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2204
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4924

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1028
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2984
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1268
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1276

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2012

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2468

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3044

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3296

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3396
- C:\Users\Admin\AppData\Local\Temp\UZI.exe
  "C:\Users\Admin\AppData\Local\Temp\UZI.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\oqrtgtd1.jt0.exe
    "C:\Users\Admin\AppData\Local\Temp\oqrtgtd1.jt0.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2944
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "MasonUZI.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\UZI.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4004
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "MasonUZI.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\UZI.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3256
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3516

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3732

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3888

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3884

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3428

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4244

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:316

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2428

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:2028

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Enumerates system info in registry
- NTFS ADS
PID:1104

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe bfedf3bdba9daaf9dbc373339bbdaefd e4EmNk87oUWDBNh7yQufcg.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:4780
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:696

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1940

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:872

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery