Analysis Overview
SHA256
6e5aa4eae614ca049a1b2c8b803e6610b2b176a8e009ddad8df221c5899bb0ac
Threat Level: Known bad
The file UZI.exe was found to be: Known bad.
Malicious Activity Summary
Orcurs Rat Executable
Orcus
Orcus main payload
Modifies security service
Orcus family
Orcurs Rat Executable
Sets service image path in registry
Checks computer location settings
Loads dropped DLL
Indicator Removal: Clear Windows Event Logs
Checks BIOS information in registry
Executes dropped EXE
Writes to the Master Boot Record (MBR)
Enumerates connected drives
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
Suspicious use of UnmapMainImage
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
NTFS ADS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-25 09:00
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-25 09:00
Reported
2025-01-25 09:02
Platform
win7-20241010-en
Max time kernel
150s
Max time network
128s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP | C:\Windows\System32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection | C:\Windows\System32\svchost.exe | N/A |
Orcus
Orcus family
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lkxfur4l.iwh.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UZI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UZI.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\PerfStringBackup.TMP | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\System32\Tasks\MasonUZI.exe | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\wbem\Performance\WmiApRpl_new.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh00A.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\system32\PerfStringBackup.INI | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc00C.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\System32\Tasks\MasonUZI.exe | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\perfh007.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc00A.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\system32\wbem\Logs\wmiprov.log | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2d\52C64B7E | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\lsass.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\system32\SCHTASKS.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\lkxfur4l.iwh.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\UZI.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\UZI.exe
"C:\Users\Admin\AppData\Local\Temp\UZI.exe"
C:\Users\Admin\AppData\Local\Temp\lkxfur4l.iwh.exe
"C:\Users\Admin\AppData\Local\Temp\lkxfur4l.iwh.exe"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "MasonUZI.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\UZI.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17580069531250797922481872823-2122011395-1535987929-995782385-1920058755-677130300"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "MasonUZI.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\UZI.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1996097633-637396328-937541236-7799626746554135701993731091846718351-138789607"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
Network
| Country | Destination | Domain | Proto |
| NL | 195.88.218.126:10134 | tcp |
Files
memory/1740-0-0x000007FEF5103000-0x000007FEF5104000-memory.dmp
memory/1740-1-0x0000000000A60000-0x0000000000B7A000-memory.dmp
memory/1740-2-0x0000000000550000-0x000000000057C000-memory.dmp
\Users\Admin\AppData\Local\Temp\lkxfur4l.iwh.exe
| MD5 | 94f1ab3a068f83b32639579ec9c5d025 |
| SHA1 | 38f3d5bc5de46feb8de093d11329766b8e2054ae |
| SHA256 | 879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0 |
| SHA512 | 44d5236a804d63302b21ca25ebc148a64605508d03c990a244c44ceb8630849da0510b7b2d0bee72e01ca6681e2d86d7e6aee8847674a26f0028d149b9abee0c |
memory/2332-11-0x0000000076D70000-0x0000000076F19000-memory.dmp
memory/2332-13-0x0000000076D71000-0x0000000076E72000-memory.dmp
memory/424-43-0x0000000076DC1000-0x0000000076DC2000-memory.dmp
memory/236-57-0x0000000000C70000-0x0000000000C9B000-memory.dmp
memory/236-68-0x0000000000C70000-0x0000000000C9B000-memory.dmp
memory/740-75-0x0000000036DB0000-0x0000000036DC0000-memory.dmp
memory/2332-83-0x0000000076D70000-0x0000000076F19000-memory.dmp
memory/848-85-0x0000000036DB0000-0x0000000036DC0000-memory.dmp
memory/848-84-0x000007FEBD640000-0x000007FEBD650000-memory.dmp
memory/848-82-0x0000000000CF0000-0x0000000000D1B000-memory.dmp
memory/812-80-0x0000000036DB0000-0x0000000036DC0000-memory.dmp
memory/812-79-0x000007FEBD640000-0x000007FEBD650000-memory.dmp
memory/1740-78-0x000007FEF5103000-0x000007FEF5104000-memory.dmp
memory/812-77-0x0000000000CA0000-0x0000000000CCB000-memory.dmp
memory/740-74-0x000007FEBD640000-0x000007FEBD650000-memory.dmp
memory/740-73-0x0000000000C40000-0x0000000000C6B000-memory.dmp
memory/668-69-0x00000000001E0000-0x000000000020B000-memory.dmp
memory/236-66-0x0000000036DB0000-0x0000000036DC0000-memory.dmp
memory/236-65-0x000007FEBD640000-0x000007FEBD650000-memory.dmp
memory/972-63-0x0000000036DB0000-0x0000000036DC0000-memory.dmp
memory/972-62-0x000007FEBD640000-0x000007FEBD650000-memory.dmp
memory/972-61-0x0000000000D50000-0x0000000000D7B000-memory.dmp
memory/592-60-0x0000000000170000-0x000000000019B000-memory.dmp
memory/492-59-0x0000000000200000-0x000000000022B000-memory.dmp
memory/476-58-0x00000000001E0000-0x000000000020B000-memory.dmp
memory/492-53-0x0000000036DB0000-0x0000000036DC0000-memory.dmp
memory/592-52-0x0000000036DB0000-0x0000000036DC0000-memory.dmp
memory/492-51-0x000007FEBD640000-0x000007FEBD650000-memory.dmp
memory/592-50-0x000007FEBD640000-0x000007FEBD650000-memory.dmp
memory/592-49-0x0000000000170000-0x000000000019B000-memory.dmp
memory/492-48-0x0000000000200000-0x000000000022B000-memory.dmp
memory/476-46-0x0000000036DB0000-0x0000000036DC0000-memory.dmp
memory/476-45-0x000007FEBD640000-0x000007FEBD650000-memory.dmp
memory/476-44-0x00000000001E0000-0x000000000020B000-memory.dmp
memory/424-42-0x0000000000CB0000-0x0000000000CDB000-memory.dmp
memory/424-19-0x0000000036DB0000-0x0000000036DC0000-memory.dmp
memory/424-18-0x000007FEBD640000-0x000007FEBD650000-memory.dmp
memory/424-17-0x0000000000CB0000-0x0000000000CDB000-memory.dmp
memory/424-16-0x0000000000C00000-0x0000000000C25000-memory.dmp
memory/424-15-0x0000000000C00000-0x0000000000C25000-memory.dmp
memory/2332-14-0x0000000076D70000-0x0000000076F19000-memory.dmp
memory/2332-12-0x0000000076B50000-0x0000000076C6F000-memory.dmp
memory/424-196-0x0000000000CB0000-0x0000000000CDB000-memory.dmp
memory/1740-218-0x000000001B470000-0x000000001B558000-memory.dmp
memory/476-219-0x00000000001E0000-0x000000000020B000-memory.dmp
memory/972-222-0x0000000000D50000-0x0000000000D7B000-memory.dmp
memory/1740-224-0x000000001B310000-0x000000001B390000-memory.dmp
memory/236-223-0x0000000000C70000-0x0000000000C9B000-memory.dmp
memory/592-221-0x0000000000170000-0x000000000019B000-memory.dmp
memory/492-220-0x0000000000200000-0x000000000022B000-memory.dmp
memory/1740-225-0x000000001A800000-0x000000001A85C000-memory.dmp
memory/1740-226-0x000000001B2E0000-0x000000001B2EE000-memory.dmp
memory/1740-227-0x000000001B560000-0x000000001B572000-memory.dmp
memory/1740-228-0x000000001B660000-0x000000001B678000-memory.dmp
memory/1740-229-0x000000001B300000-0x000000001B310000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab9BF3.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/1740-277-0x000000001B310000-0x000000001B390000-memory.dmp
C:\Windows\System32\wbem\Performance\WmiApRpl.h
| MD5 | b133a676d139032a27de3d9619e70091 |
| SHA1 | 1248aa89938a13640252a79113930ede2f26f1fa |
| SHA256 | ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15 |
| SHA512 | c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5 |
C:\Windows\System32\wbem\Performance\WmiApRpl.ini
| MD5 | 46d08e3a55f007c523ac64dce6dcf478 |
| SHA1 | 62edf88697e98d43f32090a2197bead7e7244245 |
| SHA256 | 5b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614 |
| SHA512 | b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42 |
C:\Windows\System32\perfc011.dat
| MD5 | 1f998386566e5f9b7f11cc79254d1820 |
| SHA1 | e1da5fe1f305099b94de565d06bc6f36c6794481 |
| SHA256 | 1665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea |
| SHA512 | a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f |
C:\Windows\System32\perfh007.dat
| MD5 | 5026297c7c445e7f6f705906a6f57c02 |
| SHA1 | 4ec3b66d44b0d44ec139bd1475afd100748f9e91 |
| SHA256 | 506d3bec72805973df3b2e11aba4d074aeb4b26b7335536e79ea1145108817cc |
| SHA512 | 5be8e51ecacda465b905df3e38ac114240d8fa6bae5bb17e8e53a87630454b57514ca0abbd8afefd798d450cd4ee89caf4391eeb837ced384260c188482fb48d |
C:\Windows\System32\perfc007.dat
| MD5 | 0f3d76321f0a7986b42b25a3aa554f82 |
| SHA1 | 7036bba62109cc25da5d6a84d22b6edb954987c0 |
| SHA256 | dfad62e3372760d303f7337fe290e4cb28e714caadd3c59294b77968d81fe460 |
| SHA512 | bb02a3f14d47d233fbda046f61bbf5612ebc6213b156af9c47f56733a03df1bb484d1c3576569eb4499d7b378eb01f4d6e906c36c6f71738482584c2e84b47d0 |
C:\Windows\System32\perfh009.dat
| MD5 | 1c678ee06bd02b5d9e4d51c3a4ec2d2b |
| SHA1 | 90aa7fdfaaa37fb4f2edfc8efc3994871087dedb |
| SHA256 | 2d168ab31836a08d8ca00aab9685f040aac4052a7f10fbbf0c28e9f880a79dd3 |
| SHA512 | ec665d7a20f27b2a0fe2475883009c6d34615cc2046d096de447ef57bcac9da0ae842be0556f5736f42d9c1c601fb8629896a2444990e508f7c573165088ab32 |
C:\Windows\System32\perfh00A.dat
| MD5 | 340af83514a525c50ffbbf8475ed62b7 |
| SHA1 | e2f382ae75afe7df8a323320bbb2aafa1ff6e407 |
| SHA256 | fb298e9a90476b4698def395a8ee1974c1cee3959b658662c730da915caea417 |
| SHA512 | 8236aab579456ef4614ddd5fbfe72d0b0b26617c43a9cd53c3de56d3ac052eee8ca7d70749aaca0692855ecd4fd5f1460ac0b1dd30481dee519b910755c1cc2d |
C:\Windows\System32\perfc00A.dat
| MD5 | 540138285295c68de32a419b7d9de687 |
| SHA1 | 1cf6a2a0f53f0516ff9fe5ac733dbb5a9255ae56 |
| SHA256 | 33867c52f756f2b0f645f4bd503c65969d73676dcb14e6a6fdb2ffb11c7562eb |
| SHA512 | 7c17c10d4b6165aa0c208811dc6d98e2f4e75e3da1cc2313cc7da9d657626beb3e4ec00b07b71376a7c549725d40db20d8952753e70acc86e87a8390e224a64a |
C:\Windows\System32\perfh00C.dat
| MD5 | 718bb9564980029a2e3341093a4bb082 |
| SHA1 | 8953d96e47b65c2c70f2bcc3d9e2e7c55d41ee61 |
| SHA256 | ad7b5314ef00ce846ae2c91a32dd1c1f2b4905cf182005e251ad6d4af66cc977 |
| SHA512 | 3f22961d108271dc098ae2c75d217991da38c18a587b44abd74da853ea26d171ca1a507c3200f3b7c2a8175bfff5a8b968a551a4804082064dc6f2ef98b5432d |
C:\Windows\System32\perfc00C.dat
| MD5 | 831dbe568992299e589143ee8898e131 |
| SHA1 | 737726173aab8b76fe1f98104d72bb91abd273bf |
| SHA256 | 4f22ef1625fb2a2370779d0992f80b8e5e5da8dc727aa99ade152044d28e9405 |
| SHA512 | 39015d29d593c9df59cdafbff95a6ddc000a5dbf767665b65f8ec65751e70315918c93d3583b922d32e9b6261b8c07023da660098ca79c5420b782c150b5c139 |
C:\Windows\System32\perfh010.dat
| MD5 | 66fd0e1999023d23c9f8e3cd7a92af77 |
| SHA1 | e0e61df319ddbc7c9d425612295f825c47888658 |
| SHA256 | bdbadcf6f408c6d223974d52a69413aebe1d50ac7eaeacefa2beb2f7321355d0 |
| SHA512 | b8924cdf53eb5589820a16890fa7abdca20dfc3ca44063d3fdaef484f506419dbf9cd660bc80e8dfe7b7eba7d9db8fe0046accc1fca8d3faf70dedfa1ee0e68f |
C:\Windows\System32\perfc010.dat
| MD5 | cf82e7354e591c1408eb2cc0e29dd274 |
| SHA1 | 7e91bd50c3e6b64b81e2b5c1ce723f52e34748e9 |
| SHA256 | 59b5e6fbbe68f47db14a3c045b0ac1abb026c626ca4bee708fbd3940e6d2e06d |
| SHA512 | 98bd4809c1c418be4100096bc9df328d2ad435c5615c082fa2bfa424935203107015862cd9c1737800b7f7bd020fea4538c325707927c1557bc3efebffb27620 |
C:\Windows\System32\perfh011.dat
| MD5 | 24da30cbb5f0fe4939862880e72cc32c |
| SHA1 | 9132497736f52dae62b79be1677c05e32a7ba2ab |
| SHA256 | a11a4228f8485db2f90466651f6cab07245a8ff5b3448636ab0abc4d618a4a1f |
| SHA512 | 332a57e8f0e8d7f82044f90388afd7509768ecb3f657c6be12d1f51ec1c66b8886c30d4b4a42d3a64c3e0d8b76d7cc86a1ac3b92713a68a62c12fdae6a77d6c2 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-25 09:00
Reported
2025-01-25 09:02
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Orcus
Orcus family
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UZI.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oqrtgtd1.jt0.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Q: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\svchost.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\Preferred | C:\Windows\system32\lsass.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\d1122fd3-ca2e-4b30-a70e-a5378017f4d7 | C:\Windows\system32\lsass.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\MasonUZI.exe | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D | C:\Windows\system32\lsass.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | C:\Windows\system32\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\System32\mousocoreworker.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02dmebvijkfpllqn\Provision Saturday, January 25, 2025 09:00:39 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA0y8S0S7KMEunDqU3gBf01wAAAAACAAAAAAAQZgAAAAEAACAAAADcJ+p/b0FsPWhiyOhlEQbC3reYnZFEqN2zQCWwNjFKzwAAAAAOgAAAAAIAACAAAAAFXvAkqoYj+KTZCACSkSpdYzO0AbOX7ZN4KMEVnU1+9CAAAAC/JsRdRg7e7H0YyAI1S1EnQEj+NuiHZ7fezdizZIZ6K0AAAAC1Mq6TPBctFfYvU1CmEtZt3liaID7xpdTS+/Nu3lOfHC7gRP4IOWskZe7KTKic6yKvah8K59yxYMrQ7Nb82SNS" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1" | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02inkxybzzticstj\AppIdList | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414} | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02dmebvijkfpllqn | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\001840114EBE2834 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d32f12d12eca304ba70ea5378017f4d7000000000200000000001066000000010000200000009bdc20b9621390f2e4d60b426a9f0bb62f383d0f4d89e51a6807868ab8093400000000000e8000000002000020000000037ac2a2ba9e334b38dd41ac830cc22159e9a2c55e257a9115993ee6605ed5df8000000089431aca6e7e59e20fcd0f1ed25a236acce37ca2bb4cde65bf43b8ef8e4298d6a1492a0aa8b9c905deabb316bc334ad9024dd977fe51a38c28225be0803220fa7f8ab4cfc98fed54a1403927ba9f9428e479a5145b30b022ed1d6b722a5b28ff175c17a3f59c3c6ca585383663914b2b3e985d0ee44e53dd282d4b4b29936cdb40000000382c9db78f52b88b9883e2bdebad5c4befd0d1ff1f39d303c6a9026a9a503b809221e135a5d9bd70ac72c4d1caa29e82a8974876199cc805801cac8940d1bc9b | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02bpaoculioqqvol | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-493223053-2004649691-1575712786-1000\02qckosqzcprbpdn\AppIdList | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02lriaqphlnqvfzi\Provision Saturday, January 25, 2025 09:00:32 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA0y8S0S7KMEunDqU3gBf01wAAAAACAAAAAAAQZgAAAAEAACAAAACm/FqTDX/ScQ5uZZTh9rL9dkiT3R/XMsMDOiau0KFU2gAAAAAOgAAAAAIAACAAAAAfL/I4GYxDVBM9qGsfcosTyacoh4bvxbQXT6V97olF+SAAAAA7a/SCfahOMU5Z2r3M0rpJNXRI0tc9omLZ2R9WOwntp0AAAACd94Tcn0N16Pg2XSOk80ElKL3rJRSNgamCy2BkcI3aF4icQmopMLlfzBI0a/WSIehg1WzlfJcR9VlH8PeRsoFj" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={CB617365-6ECA-496A-A0D7-824E15D2CACA}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-493223053-2004649691-1575712786-1000\02iglvylpfzmtrty\DeviceId = "<Data><User username=\"02IGLVYLPFZMTRTY\"><HardwareInfo BoundTime=\"1737795640\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "001840114EBE2834" | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02qckosqzcprbpdn\Response Saturday, January 25, 2025 09:00:40 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAxdgFcA64XUO3kyFOiOsQOQAAAAACAAAAAAAQZgAAAAEAACAAAACla+1v+bEvoXwI3PgoWp8f1otH7qi+WassWlS95qsosgAAAAAOgAAAAAIAACAAAADTp5cp9OrMxslE1c/fwmlksZXR9KQhjrCHKSz49EvF6oAHAACV58MPa669Yra5xpDmqun+/wG42YAcyCCSpDf5TcmWKKhzQTgKNV4HlDO3Kw9cHS1LS9EL2Vy1LZdyDJ5Z4sg6iQ4Mv19aDJIynwOCHMs6XRuStYZwc/ies84PPw/N5tmaWgu6gqqaeqWbjb6/che01KIc4XVfyn85hmnHSRGVAnnF7yg7WjljLZcLKRirA1CiCTZbfZQ+/AclCBwc1nV5EYbd4Z61ACqd7T1uvKg/QTOUkt5cO57YiAbH+Kxta2E4OelKzXan/il5iC2423nBevikI/7kmimvy3IJyxQ7tzewkJngNMTZ+rPOhr8sg/UfEWUj6d0Mh2luMeGbXyJV5jtR2tzP1QgjLfkYpc9p7MOD8hqqeYjBVHNNgm+RlukS7HtpY1s4qzDl63nuEdnaw45wo/zlzCE+xtefX7N56Je7aNhiDBpVQDc8ahh9lgZrPK80jVKexz+BUBNDoMRARUuJndtwe2w8RLkZHi8AKUSOTamKtzuoIo1taqeX79HP8xzT4kAvWWednABMpvT69jNGa52lxrMaAV2IPaJZg6Ovqe1rXxzpC2LkPof8uLGJa/3UUbCSrjJzv3/t6d9SYpG/Ak00lvkHqrrv+CQWxgdAGMg9Ya4ATsgXrGw7BOBu30yK3qNYH4+Ad9d0p+qwZFFrXHYvmOPKppWd8BgE/nRfr4kP/5GHMI8yaeP1PoGdHs2vyin1A8Zdb3Li3KTqy8HvvoJ60ZfKBt6JEDtzec+rWg/hkZJSc7UAw6VWL3Z1Dq/BoPKC8PoZwJKh1tCYRDQPUiKC0YBrCkc+bs9LTp2QaPAMjacQeuc/plaakT3+z/On9R7R9QHDUPfsBBSNjHo/g+iLBKVAyF24+frbursI0u1tmdfL9S4xpe6eZ4hRjDrM8mVWbrAImiY8ids649o2/f4eGtDMaevkQjuTSWdyg5kzvIGqtpEpCzX7jQWnruaWZvpKFOg0hOxO77VTLvKYXJzcC14I4EVvRMzmK3lSp+0wjCJZrG+KahgNVgpzmz+F0tuqqodPew0Qp/Dff/sFzORwb7GA0BmS5UiFhcte6iHzzZtlzboaPkWGJu4FxgO0213HGovQJJPA7TlKueZHpGAT3XvfH47hb6/oNJYmDkmUp5WvF0NfBSbW/F+ICLlBHQ3DlriLxOnJefS9kArEvBqrOY9ZaaHG6Rrw3yNDT72tnrx9yQbRn396gM/gvkt3DtMfh8+JIaildlLMVbiKOL4aqk8BToOR11JTc0cIa36+424P5RQpqnTaak1pgnz/xaV/FdkLraFkLeGgcyZM8utT2srCzwa5l99QuugMK6IBrBQJeXl5rBN+mLJ3omS4ncGqHyydlMM2l/wi8Qj+WmdX8X0NxM/H9fGXv0AaIW4hoYpIvLiNwQMsDjXPmLf/XV9Bs/6EA5TKzEbZmdp8e1Fz3SircoQhBeKQC0/1+Y0KFtsEXJ80nVuaUS2RDAw1qxylBgKWSjSoSitned/CLhp2EIoCAXLk6d2FjszPxrX7/mBc61V5d8BasLahQTubZDKmzYrktnmK/xPjOP4B7CWF2a8cjp02DS/MZo7lgRpLmBLuBab+3jepT/EyqnC6V9nzMHeu4QMfL7SpY6JoZfAppbcYypVS5o6UYcaIRR9ZgQMLgoDXGCjU4rWCCVQ6UxKNqNCRpsq5b6HkFe0pb7g7ZMSQKqvj1xdlyl1rfEbWNofYXgguYaXjcTaH+wfikOsIXXZPS0rfo1ecDvFhfsdAcyg9Xs8viUaMZQLbiNgPOgFN45qvEKjqD+Du3MpFa5NJxFrVTyCiMMsfeEaNQ1gN0DMmtlcuS4vMnhEUIDYpOSIq6eGqoS6x2VLgfRIB5VRDv8nSQ2koiDh7vzaUaPr4ssoHVVtbn83Su26LUovFaUfKz20WKGEvDrNx6Isq4oDV4LSOVSh6Oxd16AXFi6a4iYcNf/d/2BXQ4K9rQv0apUJ73LDjw9iLconLIY2B+81yuv+xCp2CzJ8FIxuhHhVvbDgxseldxNZ7hBUxgwFngS2nTdilcZZw4QGmtnIW6J07G6klZgB8w68lYO9ALUFahmmjwLzrYqw+uSop+ScHahchQEVB1dIjclvT2RZy1x3JN5U8LVnU+XND6z0S4iWgUA2avASJ7jr3natf1m5YoYLp6XQlJfxU0ms0f1sHleFWt+j0SX4X3Jy8j0MZqXlqrRgECSRe/Qsk2lgpRiYDh3vm/GbYvxy6OF8Pl+Mr9IdjXWObe53Uo3pKA5rvfC6/rI1Sx4PfyqSvCURaEmDjzwr6k8lomFrCl1zUV9azWvMdVAyYMJ8skK7BG7NaCZSUZGFoz0j4v7hbM0xQPFlOS78HhKuWlQ+M9mp6BYOLw1wYjulgFc+D8PNuDJFm+2rCNf2QXD+0V0idru5xchmeGaRu7pCi1TiaFU2LoKcCdIPHcDjI3zJ0iuh26J630Cz10pqeX1JEhklMoemsoxeHYZ7UqdADla+HLrWrmLOCriP14+vBG4Zpok+bWbhXtwA9bSAVj9PAPBo2FPjObdBce2cGTv6O2M71sQFAAAAAbKJnlm16JBUvtKTLZByIr0lYfvgy6P3irjYsoi/hijBzRrmVIjNUzG55L55vxjPP97hsi36Hh3+XFI1OJjpqwQ==" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02lriaqphlnqvfzi | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02dmebvijkfpllqn\DeviceId = "<Data LastUpdatedTime=\"1737795639\"><User username=\"02DMEBVIJKFPLLQN\"><HardwareInfo BoundTime=\"1737795640\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02dmebvijkfpllqn\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02qhvgcamqhyqfry\Provision Saturday, January 25, 2025 09:00:32 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA0y8S0S7KMEunDqU3gBf01wAAAAACAAAAAAAQZgAAAAEAACAAAACfuwITqqwRk9ZUgnEaCXYOW14Nw8khxQwJHpVQk3uihwAAAAAOgAAAAAIAACAAAADNpJT4yuWlOEe1USPd9cNXRvPcocpMFlTT4Q7iNbBCUCAAAAAew1UquTWQ5/KFyolniuVNHBR/leLWBlrbECSEMV4B00AAAACN15mjwHeLkq9eo4yox7/UYef5/XlQOc2H4M8tQoc+tbRP5AYY7tixVz3GKGLneqA75SK+bNsGp6MCyNt+lyay" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02bpaoculioqqvol\Provision Saturday, January 25, 2025 09:00:32 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA0y8S0S7KMEunDqU3gBf01wAAAAACAAAAAAAQZgAAAAEAACAAAAB5dZK1hAyRqWrPvDaU07rH+vhUY4cN5IvRPMz5uz4eegAAAAAOgAAAAAIAACAAAAAbbFlc/a8CA8oAzjufSWcdBt12Pr2xOkJY2VFku8WivyAAAADsZBRJvycBud0a40JulNeshJM3kALn8760zdZOu0qRjUAAAAA/xviiFYWNp3MvDzZeAz5RCQq7hWfQ+K0FQJZHvotXVgV68Vg9ouV/L/k1JS2d2ZlPn9e5FzkcSEm/QD2HIH6a" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02qckosqzcprbpdn\Request Saturday, January 25, 2025 09:00:40 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAxdgFcA64XUO3kyFOiOsQOQAAAAACAAAAAAAQZgAAAAEAACAAAAAX68HOX65D/3yRVsS/vuFZq2w20cLmmPAFzOHeVg1jjwAAAAAOgAAAAAIAACAAAAB4lm30BBwSramDGHfiJIUosdiyRR0B3n+GONGLWBeVhbASAABdNr+NLWBtzog+C7fOLGeHUtdZWZs9miS9t3UpW4vPg2Rdn4AxGAxw/dGtoIivic8Cq8q18FQaFskuOBEHikXCgQBP5oaur29cBROq4IGZ27gRuen0jbSkIWtMBxVhnCm/cofwANoHTDxBjuANbWk22KNFXxn7UvR103uANXIFyRhM9772UCreJVfdXXSMyfTb34p8B5wG/AxCLFx0P1xxFAFsC64ETRoopEOSPVIsW7rf0Prj0kciOre3u5WFfBWQ/lGk4R+giQsovessTR0DOm98hWeu/YiHEyCa0vEqEXgvqc0Xp63bY6gDL1q7XIVsD9C1ezkG2uUHmHxKyUXu4SD6eIYBbFjH0Sh/Tzu4hhlCf3q1yNUpiCG14QNuzGwTzR6c8i5cvyRg3FjEqfhaEoMCvgQ7hqMYVsgx87v+/L6ML99oRj5vTAWLl/uWcQ6MdHREbHHS6yAU5Fpf+QV0A5w5LobxJtj386tY99hZQMPtpmvjV0bh8tK1sDkIv5OvV8YxIIEA3m60KbQAvUQ96E1Y+XLJ2+4dI8pqJ0SjPeZ9rkQwMOakGOv/HJrePY2u433fFXge3oyqP88DU+/6C1N0S90QZjp6B1rQMCCeBdaVInGapAN4g+TeLPqouOuTS5L5DcCuygDlGbmxtlPGvEXflxdx1pONDHAsTm6famZInHPy+vq9oD7ABQN/rFVazFevfX976iURIsE/yjGExiGfCUFfvgR1tdHldC0vQBV2TxNmt7fQJ00C2l/wQNuoTm69nscBce83CxW+nmltcZ43uUFggryYhWOIHsR74IjiBA+lBaTvhvw3uRmGoGcAeyP23HiHGL2New/O8EipFlZvJ70SiM3Az6EmPYfd3ZojV3jdBwBip+At7Mpq3Lg4k0YTsxoo71kWtN4Daad7DtVChFmhpXG+8W9yHFsI4b9ARqTQ7aFsGbpFHb2f/mtH+oTwt0QOW5Yxz1pOGcetaIVqakzTsfGzRuca1Famd6bhwWnj+BZMgjvpm72uDpg8P8GcoFOKg9M146hsuHkv1pfoq1MN/7aaWp1CQYMaVcVn3BUOTlKtQXYIUHNLLMhE0d3kr/wWzSSY4ffJ+/+tGCgXIpI4L3ua5bmu2rULAWKia3QTe6QZpV4ETJKSXhOktftXc653dtSeLPfGgiyO1LwtJEgShgLwGDvW6B/55jhLJmT+Foodd0yQognpsIicwxZPe7bIxBnbLHS9fyIEHQ7n1nCIIagX5LhAGIrk6iCVGFxj3eUXa9m2cwCReFnqD6EVTKzaxvUxmyou6Y7d07BO9t5/kVNlqVVUNmVgGvbOS2+DByBXS3Obxynfu62yu9IlY7cj6KKbStKw3naq0FK5GTFGKyuKZmLjwU7V/4DiXONWS42dVoiphgSt+GrR1syncFLLL5YgIjZ09y9LkMr4pYljKiymo3iXxkV4+QMa0VhwkvWk0MFb3M0NINoM+gjR09OB+sm7zfuxb8r8pmibsGWf3woGQu6AA4M8JwXYdHepNVnbPn71xwOQtn8Rj2TPutV2FFBmYUXR0aumpTs2ksPPWBow9cmCUs024H2q+AkI3NrNPxFsRDKlMFuSyQVR48MUGiwF0ppgD1Tb4vsOjL4M/phrdXckXM6CUH9p92W0UmBNYjNcna8shD65XjMqhaBgDcMAagBmklfGQLlsC0uoMXH20sWK9liJ60EC3Mv1wZMM6rWCqIFzK5wM5K5ILQngC8ksCOjqrK6+PYbZ9yjmTAmsjA5Sevdb1ih5rUw5h+c5YnFNGTUftarl+VrMtStkDjhHK1Ec/GK2zPNCeuxBfu+7Obb0FD4WDoXHRrTspAgHfuGPIXs6/NqX1mToN6Gy9muZ2HH/8IjBhofFv6wMNF49EhxTueOcI2VdvAFNQNCQMRz66KGar2g4nxIY5gOBok/den+5rnUBfn8EgW6X0QZH+c2KefUjuaK9CCM4yhriCZOryYcg60MTQvZn4mScNvCUD8lCKKUGNh/Ma3ciSnR+qsZUAu3ttRDwV1brjkTPzAqOFMx7WYkSEO+v9I5G/f7v+PEBgP0uCbM8eWrLrDhGRiqGHQHSWxrfAT+vrX+Vw5bHG8OzsvV9wd+dvVNcF32ids63i97GmN+KQFeZUytyQIpMK62yBF2aP/xLYDs+RqSH6w2Cx+x8/E4oZ//xFJVX9rU4HvyTTL+BWTSZQ3Wx2jLpZJ3zByLnwUtMlF+fGRSj6NP3FcVbdUynItylotnyljE3F//NajKdfq3xWGeSfv+cvbcxRsFCjKQE6dFRbrykOHT7SssY6EkmNB1WHhYE3QAFx8h2oSudDlo3t8Mfj6Y69V6gGPnloA6fHDYTbvlBgg8vw8oSWrCtwLKAE2kvPX/FQhVTUc7drnqplM4o9Ijkyrwm6DzXM5Rx5UDNu0BHoDbscQmkTnRpx1d1QA24vUAy7MlBDK7bPj8BQPiGKYz3ZGO6UJnZXqKVwprM935jI8hvZQwtwboR1Oso9UhIfz6eujqvJOQyHo8LZb+Enqb58SLFjQ7EBkqUsU7Zzc1iIQCd9jRY+JUL1GDoWSZsqCu1UVILylvNzfblsa3QY0pgRZ1yHL+AhmS4sZtuvHbxT2jaOaQWOBajVE9xeU44oPpgyPvvMfdquec6fE7zEJ8dbP+oYakr7tJ9sraE4s1B4mY0UR+wIkBmALyQ1B3iOEKRn4DQEKy0rpeYq32eeD0MlZFWNV6HxF48ZMr7RdSqFKryqg6CREy/WcmYha6xrZP0G3vYrghtCzLHI63QxWsfSm7A7w3EdeMpmZ175fZbOnfi42WYIZZTfztjh6zQ7XwdNcE5INoOgsN6Yoa85EgcqczG0XlHGX2q/LqPsrbrpgpWDMSe21Dgyw/pU7oZ/4d8eZz5/mWFsoukYDKY10LtNo4S0xCMUMlyYvYrzgvdEwhWUyZqy4OGRI3le2cD/TSRnLiu7zPqGLOl0m5/mEuO6y8f0nNF/qAGNl/IDaub0dU95u2Nnru9fxJn2z2wxvuAze4frlqY5IwjaSzqJxpjAScuvCAfSL8dDPPCaB9Wnt7jnSv1THaf0LOkGnD/083gPUALcznmknWBtvCvHdwk4MyMQ1cehokXqbsUCncCXs/re2nFcUb3o0kYH57zEa2YCUrmQn0ZxPsHwDL2Ch/4VCasNKn9swX0rMeBkMFXu98ekwR/EEDtM8DmlqjC4ayqEeIXCxe//M6KIbsfwkSfxGWx6++gffYUy2BTZ2C0lH+L8ifA2Ts7pQ4NA2JHsbkXLeEheMqz0/tXUXBRSAqZNElYSd/dQm1R2f0EVLvDDB6nwkN2DRhTzoOuOPCL9SDyNSvYK8lieevDZe4e5ps4v84d24yKN5DILprcygzcfn57d6gJJtA0MuOKQaq3dDqw7KGN53nuQ8gyORVbPCviJngIvTQdyvzy35x36jDI2/qQkb5QiEOLQAHJMNUVKjkUkjf6yoFPsOEUB6It/gXjQCofA5G7Bo7nH8hKOaz5ceqJkbpvWfM4/Lizq+q24dw9gq/GbWukFknRwMdjYu32zTevGPv1w+SOQ8x+SB4yeoCHL+rd8jHrbYGYAeNs3tS5HIUNcDJY/kfOV1xU+ZVvFwfus8B2z7BG/Rl7m6tTzKnCJHX+rho+26Dy9SIdwWXk9/YfwN1nfZtmyiF9hC3V1iFSlb0wxlzUyXLYxoBkGXhZ36nfjbIpU88MTinZxTxsr58nGPC1uqGDBCEqWmHmpsy3N5T25ATHDZs98cU5W49x71vJ9bsEolOAxJhImx14y7jH+3ynfNPsBD4ugWVaDk2JwjlHklqnu5L7TYyIbr1S0Wwg5u8m77/9qDIjbDV8KLI2PHRhUFRsopYMCykRMJJxb6iBYnHxfZTI6e/QyyjBQPNyXgruWD0WI7xQu7qK5S/8dD9EenayhYCdM3IG/tf+bEr13AQnNE8ktZ9DqIjGi14DYhK+OeU5+hZYcSUGcq5rfsUxbRTS9OWZvYaBoVMor0niHqudITbiWq5OZCt+EQPWcQdWfzie1cIo9sk3EUYP/AaJU3b8ql7LcsKSgaUN80nbR+nzexuIq8JfIxnYuFfDUzzelIOZF+PWa63rCBLu2eLfsYL4UtSNtagVBn5rp//F9MfgG18fxeln6X+Bweg0EfLj+50FQ3VzyymWRHMQhof6g5AIjcYE+BC3SicQ71FxYiFUN5zbICEiAZ/YS5xd9By8TBKz9GtS2yP8i2EvgjoNZTKb7wH2WvR8PfAq5Ol6htPAtrDQtt5LDHVN2RRk/vtSdyoiV7HUZuSiKV5IKWdUsIgOMt64yaDyHXFajAbn/dj6/t1+RbYNUJceiRiV/3sOZaXm+tXogDXQnvyRYOFfVeoX6oHldKOsegktLU5TqMHN4wOWO4kbOBsiKe8azEcmR1KDROoCqiijx/x0LOteq6I1ryqyAPzz9QE3prchrzmGPphPJFipkl12ZTF26uFtCu6k5eddceOF2sMUgntnIyhnR53qbLRZlftCb+bq+wfPYk9uO7vXyfWaB39e+R30li/5Ue9AtwWmFf/CxNNWTp/efxF19yO1s7CdZN0cavRfkD0BczPe/Qb1i/iaH1k8krFGbROboNjd0GheEwcuH7qpcHff52wFb9Qny5Ho0emG0LQSDmKQekkFeZimZCXhm8MhXN9/zzA97Z5+AtGB7S4ND66DZedjTqC3ymoAWEsRHxKfpijuvMsLgihxCOJylnx5+92ngM94mIA/ymcEMJAQvHvq0PJje4zCLGp06TVkkUwrA6F1gvX9PJwi2M9j4qrp/PlVATSqgKbs5NnMZuGsUJpRkPA7ksOHYqjkfRoISEvD+sWXZB/ZuAxvGcFwQ0tZBkkU301Hh1xmRwcNfIEa5zxoHUIkUmnHm6/zg7qaZA6Ybd68dSt1+GmArY0pwqABd1rHJuZ3/1+qRiCGxoBppmim7Mt6Bk3RuTeGKZTvGga1iZFXu1hUJ3yGS4PYgaCA5xw30nH0w3mnzErwzdHLq6g19b4l+cR2T24DHX1SeNyO2JaM7HFpdV2ju2CV9Dt4Mc04hViHxl0o42xJMkyBHTlj8FT0N/nj7mpQyF12WvBYfyzUlZmVa31+mjcipgVQi8gdM5YdU4iMeqx5cW9Hq/nP2Ird+jx1TXMsKDj/A2e/GClH3Vie3lCiN5bQ7s6GHti4XT/YRaknzyP9hn6mp+x+c+4zNagRvI3w2B0rJLt7O/TCayJtZcgiiA06r7X7AeATbUW23GsMohv9PrmYTOFPoOw/bB0UIOUDTdC8wA375psLZc+hsJbvSUNH1DAhm7AAP1PcFmzDTQGA+YKqsDKKTsFqNsVVvOfwcd4/oRTCiOYCViP97RLPZ5uZBJQXd6DIt9LWWoicM2J3JybgXoaaChnkwVBU3WVkwfBftuFPXJNjMEeBN84SXBpth7zrfGjK5Vgs/3PEsgxFKFUjHxN+wnQTYsaAt6VteAvLhUbbvUrt+7UVDmNHdQfRCrT5yyDGqkqi6SHuEBXTl0SXYFu54XD1XVuibgDMGZpzex5WDmaKb+k25Q+G9haEaLi0RFaj+SFG7Ui9+s+eWdIHnL/OIWqvvh0eTpdtKhrU+DfM+Zyps8a6eLXBYqLSlT8MLpPbyxkHeyI2Ci8+e45V7ZiAUm9d3jPTOJPuDZRp6exC7Y5x7DjfiAoL6zMCi2EbxDB1MkDskr4BDJ1UpBrz9bTfzQCSrv7Ql25knWq6rXRnfIrwENYb1LayQwJTP1/kaJylhHA46dSlovKnWY56NDITBiNll4rz7//PmDvoTDvgZbvlKS6WSDSkURUFKDWnlX0L3yqstfYlcm/kqzDuFpu27gpLL4sbBhnR9CV+OaRdZiuve9+AQtA5HgizHxmaVm3JaoDRtUg8qJ1NSX7Q9YMIkxN5AzIVeCj2JFD+OxsvNr0SwhfmaudKpmR/T6GhbdZ+KSiXavTpaZ/khPKa+9KvgJ6sjJpTcyX950Vxl/rUbI7yquyhrws1w9nC6pNxR7QX38Jd1U89aUdzn3fZmaLl7lHlBDmxl7v4UJYp3z59o6GtP0bK2KvCKjKPLSknbL8idkFwFNbUilGJdcvpjBC+9V7wMu8z4tXkIX/fuYbw5vpVtaSv4vBEKucBbof7rRhw8o41KZaP7mq/goBEklpbwQTtM8IPgj2skX3DaKRhgHky7fM9C2+rC8IxyTiXppS1KBRx5oCjotjRdx8sj+RixVSjb9QFfQ+t/dUzGFV3LxbkuBhILAW7fQlUBWFcS+Zz9tXM/HkMswlvV0wDeEoo7ZhgwD9hOxQjVgHdjifWd3AinYbfqWBlal4+jU39Cil5qoOrRF8Bs0Ybr6njXm+TvkcDYFdXUkAAAAAbXsOjIug0KQdO5gnKm1UsOlnKBQGuT7LDF/zJtVotkvEYxUk8yroJDpp6nJyUUyXcs0qlhPkAR9VPveWjrTJw" | C:\Windows\system32\svchost.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\SCHTASKS.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\UZI.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\oqrtgtd1.jt0.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\MusNotification.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\MusNotification.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
C:\Users\Admin\AppData\Local\Temp\UZI.exe
"C:\Users\Admin\AppData\Local\Temp\UZI.exe"
C:\Users\Admin\AppData\Local\Temp\oqrtgtd1.jt0.exe
"C:\Users\Admin\AppData\Local\Temp\oqrtgtd1.jt0.exe"
C:\Windows\SYSTEM32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "MasonUZI.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\UZI.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 64 -s 3656
C:\Windows\SYSTEM32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "MasonUZI.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\UZI.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe bfedf3bdba9daaf9dbc373339bbdaefd e4EmNk87oUWDBNh7yQufcg.0.1.0.0.0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 195.88.218.126:10134 | tcp | |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.218.88.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.109.54.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
Files
memory/2648-0-0x00007FFBE16B3000-0x00007FFBE16B5000-memory.dmp
memory/2648-1-0x0000028461670000-0x000002846178A000-memory.dmp
memory/2648-2-0x0000028461B30000-0x0000028461B5C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oqrtgtd1.jt0.exe
| MD5 | 94f1ab3a068f83b32639579ec9c5d025 |
| SHA1 | 38f3d5bc5de46feb8de093d11329766b8e2054ae |
| SHA256 | 879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0 |
| SHA512 | 44d5236a804d63302b21ca25ebc148a64605508d03c990a244c44ceb8630849da0510b7b2d0bee72e01ca6681e2d86d7e6aee8847674a26f0028d149b9abee0c |
memory/2944-12-0x00007FFBFE790000-0x00007FFBFE84E000-memory.dmp
memory/2944-11-0x00007FFBFF5D0000-0x00007FFBFF7C5000-memory.dmp
memory/616-14-0x0000022080110000-0x000002208013B000-memory.dmp
memory/64-23-0x0000023A907E0000-0x0000023A9080B000-memory.dmp
memory/440-38-0x000001F10D090000-0x000001F10D0BB000-memory.dmp
memory/440-36-0x00007FFBBF650000-0x00007FFBBF660000-memory.dmp
memory/440-35-0x000001F10D090000-0x000001F10D0BB000-memory.dmp
memory/956-33-0x00007FFBFF66C000-0x00007FFBFF66D000-memory.dmp
memory/956-32-0x000001997C640000-0x000001997C66B000-memory.dmp
memory/956-30-0x00007FFBBF650000-0x00007FFBBF660000-memory.dmp
memory/956-29-0x000001997C640000-0x000001997C66B000-memory.dmp
memory/1268-67-0x0000027499DB0000-0x0000027499DDB000-memory.dmp
memory/1300-74-0x00007FFBBF650000-0x00007FFBBF660000-memory.dmp
memory/612-88-0x0000020078C00000-0x0000020078C2B000-memory.dmp
memory/612-53-0x00007FFBBF650000-0x00007FFBBF660000-memory.dmp
memory/1472-82-0x0000025F83D30000-0x0000025F83D5B000-memory.dmp
memory/1416-80-0x00007FFBBF650000-0x00007FFBBF660000-memory.dmp
memory/1416-79-0x000001D261AB0000-0x000001D261ADB000-memory.dmp
memory/1400-77-0x00007FFBBF650000-0x00007FFBBF660000-memory.dmp
memory/1400-76-0x000001FAE11A0000-0x000001FAE11CB000-memory.dmp
memory/1300-73-0x0000011484A30000-0x0000011484A5B000-memory.dmp
memory/1276-71-0x00007FFBBF650000-0x00007FFBBF660000-memory.dmp
memory/1276-70-0x000001E78CA60000-0x000001E78CA8B000-memory.dmp
memory/1268-68-0x00007FFBBF650000-0x00007FFBBF660000-memory.dmp
memory/1164-65-0x00007FFBBF650000-0x00007FFBBF660000-memory.dmp
memory/1164-64-0x0000016F6DD60000-0x0000016F6DD8B000-memory.dmp
memory/1092-62-0x00007FFBBF650000-0x00007FFBBF660000-memory.dmp
memory/1092-61-0x0000023A353A0000-0x0000023A353CB000-memory.dmp
memory/1072-59-0x00007FFBBF650000-0x00007FFBBF660000-memory.dmp
memory/1072-58-0x000001C267170000-0x000001C26719B000-memory.dmp
memory/1028-56-0x00007FFBBF650000-0x00007FFBBF660000-memory.dmp
memory/1028-55-0x0000025037C60000-0x0000025037C8B000-memory.dmp
memory/612-52-0x0000020078C00000-0x0000020078C2B000-memory.dmp
memory/64-28-0x00007FFBFF66D000-0x00007FFBFF66E000-memory.dmp
memory/64-27-0x0000023A907E0000-0x0000023A9080B000-memory.dmp
memory/672-26-0x000001A636AA0000-0x000001A636ACB000-memory.dmp
memory/616-25-0x00007FFBFF66D000-0x00007FFBFF66E000-memory.dmp
memory/616-24-0x0000022080110000-0x000002208013B000-memory.dmp
memory/672-19-0x00007FFBBF650000-0x00007FFBBF660000-memory.dmp
memory/672-18-0x000001A636AA0000-0x000001A636ACB000-memory.dmp
memory/616-15-0x00007FFBBF650000-0x00007FFBBF660000-memory.dmp
memory/616-13-0x00000220800E0000-0x0000022080105000-memory.dmp
memory/64-278-0x00007FFBFF66C000-0x00007FFBFF66D000-memory.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F44.tmp.csv
| MD5 | 8c5df0a6344fa7c3c273554482b7d4f1 |
| SHA1 | 899d6be48041a24b34281cf421e700bbd411b9b6 |
| SHA256 | a43259f88de281971e18c5a81aeeada018d2734ca6e9384cf1b05dd08adbfd5c |
| SHA512 | a6269df92d5c6989b8fca6a2f8a1e2a9d177b833ae2572cf29d586c9c24a7513b4e314216249c108d6e055f3b12bd7e1808b4d132b897c2e3d8a0576f7a50a80 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F64.tmp.txt
| MD5 | cb3fabbe8883d02a71682bd9d9fdfab2 |
| SHA1 | 0946e919fcfabb8fef24473dc0391a4b05e0b233 |
| SHA256 | 938a9368c339010d6a3a466c074c19f07d81927dc6f4bcfe863f1b29f1838e44 |
| SHA512 | 077f5b21f970cf70ef1c8d67977b36d224d19f79e5682e9465e82359fc8833c728dc071d625a169c6fe4d57027c4e7ffa3e6161748018a06bf23e9cbf097bf63 |
memory/64-335-0x00007FFBFF66F000-0x00007FFBFF670000-memory.dmp
memory/2648-343-0x000002847BFE0000-0x000002847C0C8000-memory.dmp
memory/2648-348-0x00007FFBFF5D0000-0x00007FFBFF7C5000-memory.dmp
memory/2648-347-0x000002847BDD0000-0x000002847BDDE000-memory.dmp
memory/2648-346-0x000002847C0D0000-0x000002847C12C000-memory.dmp
memory/2648-351-0x000002847CA00000-0x000002847CA18000-memory.dmp
memory/2648-350-0x000002847C9F0000-0x000002847CA02000-memory.dmp
memory/2648-355-0x000002847C9E0000-0x000002847C9F0000-memory.dmp
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred
| MD5 | fe5ced3f95701e69ca046669dc57a73b |
| SHA1 | 280e96cdd69d631ca39b6c98d898195914d80076 |
| SHA256 | 37194ae329aa3a6fcc344080840cc6a0f7fa34d5672d16c0de7953a66ec14552 |
| SHA512 | d861d0c51659d8f21a01d4d0002f5fa55300e18494c8e2a9b2359159f41adf84293ca80e20aaaec896fedc886199ac53b1a0e3ec9ce26b0f337ab0447952eb76 |
memory/956-374-0x000001997C640000-0x000001997C66B000-memory.dmp
memory/440-379-0x000001F10D090000-0x000001F10D0BB000-memory.dmp
memory/2648-383-0x000002847CCA0000-0x000002847CCB2000-memory.dmp
memory/2648-384-0x000002847CD00000-0x000002847CD3C000-memory.dmp
memory/2648-385-0x000002847CE50000-0x000002847CF5A000-memory.dmp
memory/2648-386-0x000002847D130000-0x000002847D2F2000-memory.dmp
memory/2648-410-0x00007FFBFF5D0000-0x00007FFBFF7C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-493223053-2004649691-1575712786-1000\Preferred
| MD5 | 7a3c606a4a90be151acfbfd76b0f8f7b |
| SHA1 | 8462e863a7bbcfc13fc7ba9cb74d0593de97632a |
| SHA256 | 88ef5d5288d6fba0d59f7977838119ead239be92a4ca69af6c398ab38f91b6f1 |
| SHA512 | 1993c2fdb3d8cc389ced98d42dee988b02497c0ae64a782a2ddff47e14bef6e8f26804a95623ac42d9959318bae517ffb291f953fd4cdd6dffe322172d643252 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 0b990e24f1e839462c0ac35fef1d119e |
| SHA1 | 9e17905f8f68f9ce0a2024d57b537aa8b39c6708 |
| SHA256 | a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a |
| SHA512 | c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | 7d612892b20e70250dbd00d0cdd4f09b |
| SHA1 | 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5 |
| SHA256 | 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02 |
| SHA512 | f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | f313c5b4f95605026428425586317353 |
| SHA1 | 06be66fa06e1cffc54459c38d3d258f46669d01a |
| SHA256 | 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b |
| SHA512 | b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | 7ff227358d40d1e950768c88dbf410f2 |
| SHA1 | 95d13f4f4132a713740ec230ce310487e4fc2131 |
| SHA256 | 721b01ae5c60fd904a5efb770541bb3bd8084a72c8c589dce69db705a5cf0111 |
| SHA512 | ddd2e787a9a5d6adb7290e8540934f762d9dc3d8785f872e0eff1ad42aa6e07bd65ba0a278545ca79fd3e3f7b7437fa5a19262ba9c9af3afa22face51929c6a6 |
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | ac2bd707e3562149fc2dfae347d4b6e0 |
| SHA1 | 53671a86727917ab5b96f49e5f5b5b50edb9d2e7 |
| SHA256 | d9fb97d4e554d627b5d55831d776a9ec5e3666d01c96b23e746a60df9629abe6 |
| SHA512 | fa9174cbd967236a0cef65878748c5c8814762970916ad89fb2103c393825b33ed076d8440e5efd2db96beeeae79b5b09d257a02416a6f1d07b76772fa6d8e85 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
| MD5 | fff175f6398b6194904eb08ccb73574b |
| SHA1 | 2f271d8a04d7d7acc62db74ebc1426d44c9bb8cb |
| SHA256 | 0f3948f22bc48e3dee649c35372b90f73304d805cf721c3f36a0f1e479b7152b |
| SHA512 | 8f2ac362ba4301d0b53b29972d9e8fd4c4dce18d1c2ef4d89742cc3c51fe0ad86b80ff76b23ce65ec7eaa58ef78b9876ac1d1806256a0977cb3815df243fb1c3 |