ryuk | 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb

Analysis

max time kernel
122s
max time network
171s
platform
windows10_x64
resource
win10v20210408
submitted
26-07-2021 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
Size

132KB
MD5

ab3681a8456319f1330f7525ec6935c3
SHA1

244e178e2073247893025bd51eb7618173bbac29
SHA256

1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb
SHA512

63e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d

Score

10^/10

ryuk discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 6180 created 2324	6180	WerFault.exe	36

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 6 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1840	bcdedit.exe
3556	bcdedit.exe
4832	bcdedit.exe
4904	bcdedit.exe
6400	bcdedit.exe
6448	bcdedit.exe

Executes dropped EXE 2 IoCs

pid	Process
3048	WVeYOuPhBlan.exe
4060	NVEVsJxmblan.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
620	icacls.exe
3984	icacls.exe
2332	icacls.exe
64	icacls.exe
1540	icacls.exe
3704	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\EV = "\ufffe\ufffeC:\\Users\\Admin\\AppData\\Local\\Temp\\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe"	reg.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5252	3708	WerFault.exe	24
6180	2324	WerFault.exe	36

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
740	vssadmin.exe
4744	vssadmin.exe
6388	vssadmin.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132623575947209929"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e50707004100720067006a006200650078000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000c65afc3c3582d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e507070047007500720020004e006800710076006200200046007200650069007600700072002000760066002000610062006700200065006800610061007600610074002e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000fec1a13c3582d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e50704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000f4fe5fd9702cd70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Cortana_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3272	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2316	sihost.exe
Token: SeIncreaseQuotaPrivilege	3792	WMIC.exe
Token: SeSecurityPrivilege	3792	WMIC.exe
Token: SeTakeOwnershipPrivilege	3792	WMIC.exe
Token: SeLoadDriverPrivilege	3792	WMIC.exe
Token: SeSystemProfilePrivilege	3792	WMIC.exe
Token: SeSystemtimePrivilege	3792	WMIC.exe
Token: SeProfSingleProcessPrivilege	3792	WMIC.exe
Token: SeIncBasePriorityPrivilege	3792	WMIC.exe
Token: SeCreatePagefilePrivilege	3792	WMIC.exe
Token: SeBackupPrivilege	3792	WMIC.exe
Token: SeRestorePrivilege	3792	WMIC.exe
Token: SeShutdownPrivilege	3792	WMIC.exe
Token: SeDebugPrivilege	3792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3792	WMIC.exe
Token: SeRemoteShutdownPrivilege	3792	WMIC.exe
Token: SeUndockPrivilege	3792	WMIC.exe
Token: SeManageVolumePrivilege	3792	WMIC.exe
Token: 33	3792	WMIC.exe
Token: 34	3792	WMIC.exe
Token: 35	3792	WMIC.exe
Token: 36	3792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3792	WMIC.exe
Token: SeSecurityPrivilege	3792	WMIC.exe
Token: SeTakeOwnershipPrivilege	3792	WMIC.exe
Token: SeLoadDriverPrivilege	3792	WMIC.exe
Token: SeSystemProfilePrivilege	3792	WMIC.exe
Token: SeSystemtimePrivilege	3792	WMIC.exe
Token: SeProfSingleProcessPrivilege	3792	WMIC.exe
Token: SeIncBasePriorityPrivilege	3792	WMIC.exe
Token: SeCreatePagefilePrivilege	3792	WMIC.exe
Token: SeBackupPrivilege	3792	WMIC.exe
Token: SeRestorePrivilege	3792	WMIC.exe
Token: SeShutdownPrivilege	3792	WMIC.exe
Token: SeDebugPrivilege	3792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3792	WMIC.exe
Token: SeRemoteShutdownPrivilege	3792	WMIC.exe
Token: SeUndockPrivilege	3792	WMIC.exe
Token: SeManageVolumePrivilege	3792	WMIC.exe
Token: 33	3792	WMIC.exe
Token: 34	3792	WMIC.exe
Token: 35	3792	WMIC.exe
Token: 36	3792	WMIC.exe
Token: SeBackupPrivilege	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
Token: SeIncreaseQuotaPrivilege	4732	WMIC.exe
Token: SeSecurityPrivilege	4732	WMIC.exe
Token: SeTakeOwnershipPrivilege	4732	WMIC.exe
Token: SeLoadDriverPrivilege	4732	WMIC.exe
Token: SeSystemProfilePrivilege	4732	WMIC.exe
Token: SeSystemtimePrivilege	4732	WMIC.exe
Token: SeProfSingleProcessPrivilege	4732	WMIC.exe
Token: SeIncBasePriorityPrivilege	4732	WMIC.exe
Token: SeCreatePagefilePrivilege	4732	WMIC.exe
Token: SeBackupPrivilege	4732	WMIC.exe
Token: SeRestorePrivilege	4732	WMIC.exe
Token: SeShutdownPrivilege	4732	WMIC.exe
Token: SeDebugPrivilege	4732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4732	WMIC.exe
Token: SeRemoteShutdownPrivilege	4732	WMIC.exe
Token: SeUndockPrivilege	4732	WMIC.exe
Token: SeManageVolumePrivilege	4732	WMIC.exe
Token: 33	4732	WMIC.exe
Token: 34	4732	WMIC.exe
Token: 35	4732	WMIC.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
5412	sihost.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
8396	ShellExperienceHost.exe
8308	SearchUI.exe
8396	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 3048	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	75
PID 1612 wrote to memory of 3048	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	75
PID 1612 wrote to memory of 4060	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	76
PID 1612 wrote to memory of 4060	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	76
PID 1612 wrote to memory of 2316	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	37
PID 1612 wrote to memory of 2324	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	36
PID 1612 wrote to memory of 2440	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	34
PID 1612 wrote to memory of 3216	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	15
PID 1612 wrote to memory of 1644	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	77
PID 1612 wrote to memory of 1644	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	77
PID 1612 wrote to memory of 3248	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	79
PID 1612 wrote to memory of 3248	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	79
PID 1612 wrote to memory of 3224	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	26
PID 1644 wrote to memory of 892	1644	net.exe	81
PID 1644 wrote to memory of 892	1644	net.exe	81
PID 3248 wrote to memory of 2888	3248	net.exe	82
PID 3248 wrote to memory of 2888	3248	net.exe	82
PID 1612 wrote to memory of 3436	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	25
PID 1612 wrote to memory of 3708	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	24
PID 1612 wrote to memory of 3048	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	75
PID 2316 wrote to memory of 564	2316	sihost.exe	83
PID 2316 wrote to memory of 564	2316	sihost.exe	83
PID 2316 wrote to memory of 636	2316	sihost.exe	84
PID 2316 wrote to memory of 636	2316	sihost.exe	84
PID 2316 wrote to memory of 976	2316	sihost.exe	87
PID 2316 wrote to memory of 976	2316	sihost.exe	87
PID 2316 wrote to memory of 4056	2316	sihost.exe	88
PID 2316 wrote to memory of 4056	2316	sihost.exe	88
PID 2316 wrote to memory of 1540	2316	sihost.exe	91
PID 2316 wrote to memory of 1540	2316	sihost.exe	91
PID 2316 wrote to memory of 3704	2316	sihost.exe	93
PID 2316 wrote to memory of 3704	2316	sihost.exe	93
PID 976 wrote to memory of 1840	976	cmd.exe	96
PID 976 wrote to memory of 1840	976	cmd.exe	96
PID 636 wrote to memory of 740	636	cmd.exe	95
PID 636 wrote to memory of 740	636	cmd.exe	95
PID 564 wrote to memory of 3792	564	cmd.exe	97
PID 564 wrote to memory of 3792	564	cmd.exe	97
PID 976 wrote to memory of 3556	976	cmd.exe	98
PID 976 wrote to memory of 3556	976	cmd.exe	98
PID 1612 wrote to memory of 2748	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	100
PID 1612 wrote to memory of 2748	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	100
PID 1612 wrote to memory of 2840	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	101
PID 1612 wrote to memory of 2840	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	101
PID 1612 wrote to memory of 980	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	105
PID 1612 wrote to memory of 980	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	105
PID 1612 wrote to memory of 3252	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	103
PID 1612 wrote to memory of 3252	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	103
PID 1612 wrote to memory of 620	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	107
PID 1612 wrote to memory of 620	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	107
PID 1612 wrote to memory of 3984	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	108
PID 1612 wrote to memory of 3984	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	108
PID 1612 wrote to memory of 672	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	110
PID 1612 wrote to memory of 672	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	110
PID 1612 wrote to memory of 4040	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	113
PID 1612 wrote to memory of 4040	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	113
PID 1612 wrote to memory of 4304	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	116
PID 1612 wrote to memory of 4304	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	116
PID 4040 wrote to memory of 4420	4040	net.exe	118
PID 4040 wrote to memory of 4420	4040	net.exe	118
PID 4304 wrote to memory of 4528	4304	net.exe	119
PID 4304 wrote to memory of 4528	4304	net.exe	119
PID 2748 wrote to memory of 4732	2748	cmd.exe	120
PID 2748 wrote to memory of 4732	2748	cmd.exe	120

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3216

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3708
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3708 -s 864
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:5252

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3436

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3224

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2440

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2324
- \??\c:\windows\system32\cmd.exe
  cmd /c "WMIC.exe shadowcopy delete"
  2⤵
  PID:1764
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete
    3⤵
    PID:6368
- \??\c:\windows\system32\cmd.exe
  cmd /c "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:3064
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:6388
- \??\c:\windows\system32\cmd.exe
  cmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
  2⤵
  PID:3240
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:6400
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:6448
- \??\c:\windows\system32\cmd.exe
  cmd /c "bootstatuspolicy ignoreallfailures"
  2⤵
  PID:3416
- \??\c:\windows\system32\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2332
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2324 -s 508
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:6180
- \??\c:\windows\system32\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:64

c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- \??\c:\windows\system32\cmd.exe
  cmd /c "WMIC.exe shadowcopy delete"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3792
- \??\c:\windows\system32\cmd.exe
  cmd /c "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:740
- \??\c:\windows\system32\cmd.exe
  cmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1840
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3556
- \??\c:\windows\system32\cmd.exe
  cmd /c "bootstatuspolicy ignoreallfailures"
  2⤵
  PID:4056
- \??\c:\windows\system32\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1540
- \??\c:\windows\system32\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3704

C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
"C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\WVeYOuPhBlan.exe
  "C:\Users\Admin\AppData\Local\Temp\WVeYOuPhBlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Users\Admin\AppData\Local\Temp\NVEVsJxmblan.exe
  "C:\Users\Admin\AppData\Local\Temp\NVEVsJxmblan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:892
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2888
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "WMIC.exe shadowcopy delete"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4732
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2840
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4744
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "bootstatuspolicy ignoreallfailures"
  2⤵
  PID:3252
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
  2⤵
  PID:980
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4832
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4904
- C:\Windows\SYSTEM32\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:620
- C:\Windows\SYSTEM32\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe" /f /reg:64
  2⤵
  PID:672
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:4848
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4420
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4528
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:8596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:8680
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:9896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:10128
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:29040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:29104
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:33644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:33944

\??\c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5412
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5584

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8308

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:8396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2316-123-0x00007FF686070000-0x00007FF6861D3000-memory.dmp

Filesize
1.4MB

Download
memory/2324-124-0x00007FF686070000-0x00007FF6861D3000-memory.dmp

Filesize
1.4MB

Download
memory/3272-230-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/3436-129-0x00007FF686070000-0x00007FF6861D3000-memory.dmp

Filesize
1.4MB

Download