---
type: client
name: ucryo
display_name: Universal Cryogenics
last_compiled: 2026-06-02
compiled_by: GURU-5070/claude-main
sources:
  - clients/ucryo/session-logs/2026-06-02-session.md
  - clients/ucryo/onboarding-baselines/UC2-SERVER-20260603T004304.md
  - clients/ucryo/onboarding-baselines/WIN-709JUVCJ2DQ-20260603T004420.md
  - clients/ucryo/onboarding-baselines/DESKTOP-PMML1JC-20260603T004601.md
  - clients/ucryo/onboarding-baselines/KIRBY-20260603T003656.md
  - clients/ucryo/onboarding-baselines/GROMIT-20260603T004715.md
  - clients/ucryo/onboarding-baselines/HOBBES-20260603T004835.md
  - clients/ucryo/onboarding-baselines/HOBORG-20260603T005101.md
  - clients/ucryo/onboarding-baselines/LILO-20260603T005456.md
backlinks:
  - projects/gururmm
---

# Universal Cryogenics

Industrial cryogenics company. ACG onboarded 2026-06-02. Domain: `ucryo.local`. Client shortname / code: UCRYO. Two Windows Server 2012 R2 Essentials hosts (one DC, one Hyper-V/Veeam backup host) plus six domain-joined Windows workstations. All 8 agents graded RED on initial diagnostic. Active security history: December 2019 TrickBot infection on the domain controller, remediated 2026-06-02 with one critical open item remaining (KRBTGT/domain credential reset confirmation).

---

## Profile

- **Client code:** UCRYO
- **Domain:** ucryo.local
- **MSP360 backup contact:** richard@ucryo.com
- **Key contacts:** richard@ucryo.com (billing/backup contact — identity verify)
- **Management stack (ACG-deployed):** GuruRMM, ScreenConnect (instance `instance-kgc7jt-relay.screenconnect.com`), Splashtop Streamer, Syncro

---

## Infrastructure

### Servers

| Host | OS | Role | Agent ID | Notes |
|---|---|---|---|---|
| UC2-SERVER | Windows Server 2012 R2 Essentials (build 9600) | Domain Controller (AD DS, DNS, DHCP, WSUS, AD CS), File Server | `64cff183-429c-44bf-aebd-55386417a494` | Guest VM (Hyper-V on WIN-709JUVCJ2DQ). Drives C: (500 GB) and E: (931 GB; shares OFFICE DOCS, Projects, QB2020, UCDATA, x-files, Offsite Archive). MSP360 backup plan "Ucryo Files". IP: 172.29.0.5. SMBv1 ENABLED. |
| WIN-709JUVCJ2DQ | Windows Server 2012 R2 Essentials (build 9600) | Hyper-V + Veeam backup host (VBRCatalog, Veeam-Scripts) | `b7311d8a-6c5e-4aa5-9abf-79212d344009` | Physical Dell PowerEdge 2950 (serial 762F0G1). UC2-SERVER is likely a guest VM on this host. Drives C:/E:/F:/M: (M: is 4.7 TB MWF-Backup). IP: 172.29.0.4. Workgroup (not domain-joined). SMBv1 ENABLED. E: critically low (4.1% free, 40.4 GB of 983.6 GB). Veeam services stopped. |

### Workstations

| Host | OS | Form Factor | Agent ID | Notable |
|---|---|---|---|---|
| DESKTOP-PMML1JC | Windows 11 Pro (build 26200) | Laptop (Lenovo 81Y8) | `286cf717-86ac-4985-b0a6-0254fba0dfdb` | Broken domain secure channel. 3 disk errors in 14 days. BitLocker off. OpenVPN + NordLynx present. |
| KIRBY | Windows 10 Pro (build 19045) | Laptop (Lenovo 82K8) | `82f16929-ec3c-434b-81f9-84b63e0af56d` | **BitLocker OFF on a laptop — primary critical.** Win10 22H2 EOL (2025-10-14). 4 pending patches. |
| gromit | Windows 10 Pro (build 19045) | Desktop (Lenovo 20FRS1RQ00) | `20da3f2f-6bef-4d8c-b6fa-141d47a01d52` | Win10 22H2 EOL. 9 pending patches. BitLocker off. Group Policy Client service stopped. |
| hobbes | Windows 10 Pro (build 19045) | Laptop (Dell Precision M4800) | `a336deb1-6d09-4ade-b2c3-0b258664f4bd` | Win10 22H2 EOL. BitLocker off. 1 unexpected shutdown + 1 disk error in 14 days. |
| hoborg | Windows 10 Pro (build 19045) | Laptop (Lenovo 20ENCTO1WW) | `89ee0a5d-49f2-4334-8e49-eaafa389e9ec` | Win10 22H2 EOL. BitLocker off. **Toshiba SSD SMART Warning (wear=100%) — imminent failure risk.** Dual AV: Defender + SentinelOne. |
| lilo | Windows 10 Pro (build 19045) | Laptop (Lenovo 20EQS12M00) | `5d0bdfc0-cb58-496f-b9bd-d585eb643d85` | Win10 22H2 EOL. BitLocker off. Uptime 82 days. |

All agents GuruRMM v0.6.54.

---

## GuruRMM Onboarding

Onboarded 2026-06-02. Single site "Main".

| Field | Value |
|---|---|
| client_id | `f954f150-3605-4ef7-82e7-6b942883cb00` |
| site_id | `345e59d2-ca30-4b9c-b703-c19915b47753` |
| site_code | `LIGHT-WOLF-2305` |
| Installer page | `https://rmm.azcomputerguru.com/install/LIGHT-WOLF-2305` |
| MSI URL | `https://rmm.azcomputerguru.com/api/sites/345e59d2-ca30-4b9c-b703-c19915b47753/installer` |
| Vault | `clients/ucryo/gururmm-site-main.sops.yaml` (fields: client_id, site_id, site_code, api_key, installer_url, msi_url) |

---

## [WARNING] Security History — 2019 TrickBot Incident

**This section must be reviewed before any domain-level changes.**

### Background

In December 2019, TrickBot infected UC2-SERVER (the domain controller). A hidden SYSTEM scheduled task named "System Health Application" (boot trigger + every 12 minutes, RunLevel HighestAvailable) launched a module loader from the SYSTEM profile. The launcher EXE was already gone by the time of discovery; the task had been failing every run since with error `0x80070002` (FILE_NOT_FOUND). The TrickBot module folder remained intact under the SYSTEM profile:

`C:\Windows\system32\config\systemprofile\AppData\Roaming\syshealth\`

Modules present: `injectDll64`, `pwgrab64`, `psfin64`, `importDll64`, `tabDll64`, `mwormDll64`, `mshareDll64`, `networkDll64`, `NewBCtestnDll64`, plus `dinj`/`dpost`/`sinj` config files and `settings.ini`.

WIN-709JUVCJ2DQ was swept clean — no TrickBot artifacts found.

### Remediation (2026-06-02)

All cleanup was done read-only first, then gated on explicit client confirmation before any writes (DC-safety protocol):

1. Quarantined the module folder: `C:\Quarantine\syshealth-trickbot-20260602-170235\`
2. Deleted the scheduled task "System Health Application"
3. Removed the original folder `...syshealth\`

Quarantine copy is preserved at `C:\Quarantine\syshealth-trickbot-20260602-170235\` as an IR record.

No active C2 traffic was expected — the launcher had been gone for years and the task was failing continuously.

**No free Ryuk decryptor exists.** A reported "crypto" folder of encrypted data could not be located on either server; client concluded it was misremembered.

### [OPEN — CRITICAL] KRBTGT / Domain Credential Reset

**pwgrab64 (credential theft module) ran on a domain controller in 2019.** This means domain credentials, service account passwords, and the KRBTGT hash were potentially exposed at that time. Standard post-DC-compromise IR requires:

- Double-rotation of the KRBTGT password (with a DC replication interval between rotations)
- Reset of all domain user passwords and service account passwords

**Status: UNCONFIRMED.** Whether a post-incident credential/KRBTGT reset was performed in 2019 or afterward has not been verified with the client. Until confirmed, the residual risk is an unrotated KRBTGT on a domain that had a credential-theft module running with SYSTEM privileges on the DC.

**Action required:** Ask the client or review any 2019/2020 IT records. If the reset was never done, execute it during a scheduled maintenance window.

---

## Backup

### MSP360 "Ucryo Files" Plan (UC2-SERVER)

| Field | Value |
|---|---|
| Plan name | "Ucryo Files" |
| Plan ID | `5a44fc46-ca94-4095-a645-889eaf754389` |
| Account | richard@ucryo.com |
| Target | Backblaze B2 (api001.backblazeb2.com) |
| Vault | `msp-tools/msp360-api.sops.yaml` (shared MSP360 API creds) |

**Backblaze TLS failure — fixed 2026-06-02.**

UC2-SERVER (Windows Server 2012 R2) was failing TLS negotiation to Backblaze. Root cause: the 64-bit .NET TLS registry keys were unset, which on legacy OS (2012 R2 / Win7-8 era) prevents .NET from negotiating TLS 1.2. First secure-channel error logged 2025-10-15; escalated to hard-failing by 2026-06-02.

Fix applied to UC2-SERVER:
- `HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319` — `SchUseStrongCrypto=1`, `SystemDefaultTlsVersions=1` (DWORD)
- `HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319` — same two keys
- Restarted "Online Backup Service" and "Online Backup Service Remote Management"

Post-fix verification: `cbb plan -r "Ucryo Files"` returned "Plan is started"; zero secure-channel errors in 5-minute window; scanned 474.9 GB, uploaded 2.15 GB.

**Note:** This fix is legacy-OS-specific. Do NOT apply it fleet-wide — modern OS (Server 2016/2019/2022, Win10/11) already negotiates TLS 1.2 by default; the missing keys are benign on those platforms.

WIN-709JUVCJ2DQ has Veeam installed. All four primary Veeam services (VeeamBackupSvc, VeeamCatalogSvc, VeeamCloudSvc, VeeamMountSvc) were stopped at baseline time. Confirm Veeam job status and why services are stopped. (verify)

---

## Diagnostic Baselines — 2026-06-02

Baselines collected UTC 2026-06-03T00:35 – 00:54 (sequential run after a parallel run caused agent interruptions under concurrent load). Raw JSON snapshots are immutable at `clients/ucryo/onboarding-baselines/`.

### Per-Host Summary

| Host | Grade | Criticals | Warnings | Standout Findings |
|---|---|---|---|---|
| UC2-SERVER | RED | 1 | 5 | CRITICAL: SMBv1 enabled (WannaCry/EternalBlue vector). Defender cmdlet unavailable (Server 2012 R2). RDP enabled. 3 stopped auto-start services (AD CS, IIS, ShellHWDetection). 36.5-day uptime, reboot pending. BitLocker unavailable (verify). 12 local admins. EOL OS (build 9600 not in map). |
| WIN-709JUVCJ2DQ | RED | 2 | 4 | CRITICAL: SMBv1 enabled. **CRITICAL: E: drive at 4.1% free (40.4 GB of 983.6 GB) — urgent.** Defender unavailable. RDP enabled. Veeam services stopped. Not domain-joined (WORKGROUP). 36.5-day uptime. EOL OS. |
| DESKTOP-PMML1JC | RED | 3 | 3 | CRITICAL: BitLocker off (laptop). CRITICAL: 3 disk errors in 14 days. CRITICAL: Domain secure channel broken. 2 pending patches. |
| KIRBY | RED | 2 | 4 | CRITICAL: **BitLocker OFF (laptop — highest data-at-rest risk).** CRITICAL: Win10 22H2 EOL (2025-10-14). 4 pending patches. RDP enabled. Reboot pending, 35-day uptime. |
| gromit | RED | 1 | 5 | CRITICAL: Win10 22H2 EOL. BitLocker off (desktop). 9 pending patches. RDP enabled. Group Policy Client stopped. |
| hobbes | RED | 2 | 5 | CRITICAL: BitLocker off (laptop). CRITICAL: Win10 22H2 EOL. Unexpected shutdown + disk error in 14 days. RDP enabled. |
| hoborg | RED | 3 | 5 | CRITICAL: BitLocker off (laptop). CRITICAL: Win10 22H2 EOL. **CRITICAL: Toshiba SSD SMART Warning (wear=100%) — replace immediately.** Dual AV (Defender + SentinelOne — possible conflict). RDP enabled. |
| lilo | RED | 2 | 5 | CRITICAL: BitLocker off (laptop). CRITICAL: Win10 22H2 EOL. 82-day uptime. RDP enabled. Group Policy Client + TPM Provisioning stopped. |

### Fleet-Wide Patterns

- All 8 hosts graded RED.
- SMBv1 enabled on both servers (WannaCry/EternalBlue vector — disable before enabling any internet-facing services).
- Win10 22H2 EOL on all 6 workstations (EOL 2025-10-14, no further security patches).
- BitLocker absent on all 5 laptops (KIRBY, DESKTOP-PMML1JC, hobbes, hoborg, lilo) and the DESKTOP-PMML1JC. Servers have BitLocker status UNKNOWN (cmdlet unavailable on 2012 R2).
- RDP enabled on all 8 hosts — confirm firewall restriction to internal/VPN only.
- No LAPS on servers. LAPS registry key present on workstations.
- No backup agent on any workstation.

---

## Open Items / Follow-ups

| Priority | Item | Notes |
|---|---|---|
| CRITICAL | Confirm 2019 KRBTGT/domain credential reset | pwgrab64 ran on the DC — if reset never done, this is the primary residual risk. |
| HIGH | hoborg SSD replacement | Toshiba SMART Warning, wear=100%. Data backup first. |
| HIGH | WIN-709JUVCJ2DQ E: drive space | 4.1% free (40.4 GB). Identify what is consuming the volume and free/expand. |
| HIGH | Disable SMBv1 on UC2-SERVER and WIN-709JUVCJ2DQ | WannaCry/EternalBlue vector. `Set-SmbServerConfiguration -EnableSMB1Protocol $false` + remove feature. |
| HIGH | BitLocker on all 5 laptops | KIRBY highest priority (domain-joined laptop, unencrypted, mobile). Escrow recovery keys. |
| HIGH | Win10 22H2 EOL on 6 workstations | Feature update or OS upgrade required (EOL 2025-10-14). |
| MEDIUM | DESKTOP-PMML1JC domain secure channel | Run `Test-ComputerSecureChannel -Repair` or rejoin. |
| MEDIUM | Veeam services stopped on WIN-709JUVCJ2Dq | VeeamBackupSvc/CatalogSvc/CloudSvc/MountSvc all stopped — confirm Veeam job health. |
| MEDIUM | RDP exposure review — all 8 hosts | Confirm RDP is restricted to VPN or specific source IPs; not exposed to internet. |
| MEDIUM | hoborg dual AV (Defender + SentinelOne) | Verify intended AV; remove one to prevent conflicts. |
| LOW | UC2-SERVER stopped services | AD CS, IIS Admin, ShellHWDetection stopped — review if these should be running. |
| LOW | LAPS not deployed on servers | Deploy Windows LAPS or legacy AdmPwd to UC2-SERVER and WIN-709JUVCJ2DQ. |

---

## Reference

### IDs and URLs

| Resource | Value |
|---|---|
| GuruRMM client_id | `f954f150-3605-4ef7-82e7-6b942883cb00` |
| GuruRMM site_id (Main) | `345e59d2-ca30-4b9c-b703-c19915b47753` |
| GuruRMM site_code | `LIGHT-WOLF-2305` |
| Installer page | `https://rmm.azcomputerguru.com/install/LIGHT-WOLF-2305` |
| MSP360 plan ID | `5a44fc46-ca94-4095-a645-889eaf754389` |
| MSP360 API base | `https://api.mspbackups.com` |
| ScreenConnect instance | `instance-kgc7jt-relay.screenconnect.com` (port 443) |
| ScreenConnect instance GUID | `s=9f3db089-eb29-441d-a9d2-2c441bde8c78` |

### Vault Paths

| Secret | Vault Path |
|---|---|
| GuruRMM enrollment key (site Main) | `clients/ucryo/gururmm-site-main.sops.yaml` |
| MSP360 API credentials | `msp-tools/msp360-api.sops.yaml` |

### Diagnostic Baseline Files

`clients/ucryo/onboarding-baselines/` — 8 immutable `.json` + `.md` pairs, timestamped 20260603T00xxxx UTC.

---

## Compilation Notes

**Session logs read:** `clients/ucryo/session-logs/2026-06-02-session.md` (onboarding session, primary source). All 8 diagnostic baseline files read in full.

**First wiki article for this client.** Onboarded 2026-06-02.

**Open items flagged as unverified (verify):**
- KRBTGT/domain credential reset — not confirmed with client; must verify
- Veeam job health on WIN-709JUVCJ2DQ — services stopped, backup status unknown
- Key contacts beyond richard@ucryo.com — not yet documented

## Backlinks

- [[projects/gururmm]] — 8 agents enrolled under site LIGHT-WOLF-2305