Resubmissions
19-03-2022 08:22
220319-j9qwraech8 1019-03-2022 08:21
220319-j84ffseebn 616-03-2022 15:34
220316-sz9qjsfba4 1017-02-2022 18:50
220217-xhdn1aedap 1017-02-2022 13:21
220217-ql2rnsbbf7 1017-02-2022 13:20
220217-qljwvscdar 117-02-2022 13:20
220217-qlb61sbbf6 117-02-2022 13:19
220217-qkv8hacdap 117-02-2022 12:49
220217-p2gwrscchl 1017-02-2022 08:03
220217-jxx5ascaan 1Analysis
-
max time kernel
829s -
max time network
1691s -
platform
windows11_x64 -
resource
win11 -
submitted
19-10-2021 03:58
Static task
static1
Behavioral task
behavioral1
Sample
important.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
important.exe
Resource
win11
Behavioral task
behavioral3
Sample
important.exe
Resource
win10-en-20210920
General
-
Target
important.exe
-
Size
3.4MB
-
MD5
84c82835a5d21bbcf75a61706d8ab549
-
SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
-
SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\@[email protected]
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Signatures
-
Registers COM server for autorun 1 TTPs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
description pid Process procid_target PID 3840 created 3220 3840 SystemSettings.exe 26 PID 3840 created 3044 3840 SystemSettings.exe 28 PID 3840 created 3044 3840 SystemSettings.exe 28 -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
pid Process 416 taskdl.exe 2024 taskdl.exe 2248 @[email protected] 3960 @[email protected] 564 taskhsvc.exe 4016 taskse.exe 4288 @[email protected] 3316 taskdl.exe 1240 taskse.exe 4012 @[email protected] 4728 taskdl.exe 2880 taskse.exe 2796 @[email protected] 3336 taskdl.exe 4020 taskse.exe 4992 @[email protected] 4012 taskdl.exe 4728 taskse.exe 2388 @[email protected] 656 taskdl.exe 2888 taskse.exe 4572 @[email protected] 1468 taskdl.exe 4148 taskse.exe 3200 @[email protected] 3476 taskdl.exe 580 taskse.exe 4348 @[email protected] 1048 taskdl.exe 2092 taskse.exe 4072 @[email protected] 4152 taskdl.exe 3424 taskse.exe 3928 @[email protected] 5028 taskdl.exe 4568 taskse.exe 4464 @[email protected] 4664 taskdl.exe 2008 taskse.exe 2848 @[email protected] 780 taskdl.exe 4332 taskse.exe 5024 @[email protected] 4964 taskdl.exe 400 taskse.exe 4272 @[email protected] 1268 taskdl.exe 580 taskse.exe 2208 @[email protected] 1324 taskdl.exe 3588 taskse.exe 2024 @[email protected] 3836 taskdl.exe 1324 taskse.exe 4292 @[email protected] 960 taskdl.exe 4136 Windows-KB890830-x64-V5.94.exe 1824 MRT.exe 1608 taskse.exe 3420 @[email protected] 1632 taskdl.exe 5036 taskse.exe 3832 @[email protected] 4088 taskdl.exe -
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
pid Process 1824 MRT.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD256.tmp important.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD27C.tmp important.exe -
Loads dropped DLL 29 IoCs
pid Process 564 taskhsvc.exe 564 taskhsvc.exe 564 taskhsvc.exe 564 taskhsvc.exe 564 taskhsvc.exe 564 taskhsvc.exe 564 taskhsvc.exe 564 taskhsvc.exe 564 taskhsvc.exe 564 taskhsvc.exe 1824 MRT.exe 1824 MRT.exe 2524 svchost.exe 2524 svchost.exe 2524 svchost.exe 2524 svchost.exe 2524 svchost.exe 2524 svchost.exe 2524 svchost.exe 2524 svchost.exe 2524 svchost.exe 2524 svchost.exe 2524 svchost.exe 2524 svchost.exe 5928 dismhost.exe 5928 dismhost.exe 5928 dismhost.exe 5928 dismhost.exe 5928 dismhost.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3160 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths MRT.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features MRT.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions MRT.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kovazmlfyf099 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRT = "\"C:\\Windows\\system32\\MRT.exe\" /R" MRT.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\system32\MRT\4E7B66E3-987E-4788-BBB3-A5030922FC8D\MpGearSupport_20211018_2108122D6D4980-1D90-5797-1135-936A3EBA3538.log MRT.exe File opened for modification C:\WINDOWS\SYSTEM32\WINBIODATABASE\51F39552-1075-4199-B513-0C10EA185DB0.DAT svchost.exe File created C:\Windows\system32\MRT\4E7B66E3-987E-4788-BBB3-A5030922FC8D\01d7c49f1d49b658 MRT.exe File created C:\Windows\system32\MRT\4E7B66E3-987E-4788-BBB3-A5030922FC8D\History\Results\Quick\{E3667B4E-7E98-8847-BBB3-A5030922FC8D} MRT.exe File created C:\Windows\system32\MRT\4E7B66E3-987E-4788-BBB3-A5030922FC8D\MRT.dat MRT.exe File opened for modification C:\Windows\system32\MRT.exe Windows-KB890830-x64-V5.94.exe File created C:\Windows\system32\MRT.exe Windows-KB890830-x64-V5.94.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" important.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\Metadata\UAOneSettings.dll svchost.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\amd64_microsoft-windows-i...appxmain.resources_31bf3856ad364e35_10.0.22000.41_nl-nl_79b1b706a2422f86\f TiWorker.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\Microsoft-OneCore-Update-Ux-Core-Package~31bf3856ad364e35~amd64~es-MX~10.0.22000.37.mum TiWorker.exe File created C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\$dpx$.tmp\1b75b0ef734b974a8f9ba6d4a9288892.tmp svchost.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\Microsoft-Windows-GroupPolicy-ClientTools-merged-Package~31bf3856ad364e35~amd64~th-TH~10.0.22000.51.cat TiWorker.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\Microsoft-Windows-WinPE-LanguagePack-Package~31bf3856ad364e35~amd64~zh-TW~10.0.22000.51.mum TiWorker.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\wow64_microsoft-windows-explorer.resources_31bf3856ad364e35_10.0.22000.51_ru-ru_3ba7cd1014d9227d\f TiWorker.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\Microsoft-Windows-ServerManager-UX-ARW-Plugins-Client-Package~31bf3856ad364e35~amd64~fr-CA~10.0.22000.120.mum svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\Microsoft-Windows-ShellAPI-Package~31bf3856ad364e35~amd64~hr-HR~10.0.22000.184.cat svchost.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22000.51_none_fcfd8e54b2d95c5f\f\logo.targetsize-36_altform-unplated_contrast-white.png TiWorker.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\amd64_microsoft-windows-i..uvenation.resources_31bf3856ad364e35_10.0.22000.37_zh-tw_896219534da907fa TiWorker.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.22000.37_ja-jp_3cab0b0cad16b8fc\f TiWorker.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\amd64_microsoft-windows-s..aries-faroese-emoji_31bf3856ad364e35_10.0.22000.37_none_f62d956e35a9e067\f TiWorker.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\amd64_microsoft-windows-s..tures-deployment000_31bf3856ad364e35_10.0.22000.51_ko-kr_8a1f6d232bacbf7a.manifest TiWorker.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\Microsoft-Windows-Client-Desktop-Required-Package01~31bf3856ad364e35~amd64~bg-BG~10.0.22000.51.cat TiWorker.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\Containers-Edition-UtilityVM-Package~31bf3856ad364e35~amd64~pl-PL~10.0.22000.184.cat svchost.exe File created C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\$dpx$.tmp\c7c220259af24048804ce5e3986e2e0e.tmp svchost.exe File created C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\$dpx$.tmp\aef3b726cc21664493d218e015753602.tmp svchost.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\amd64_microsoft-windows-i..oyment-languagepack_31bf3856ad364e35_10.0.22000.37_hu-hu_3b6e696439b51e72.manifest TiWorker.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\Microsoft-Windows-Spelling-Dictionaries-ga-Package~31bf3856ad364e35~amd64~~10.0.22000.37.mum TiWorker.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\Microsoft-Windows-WinPE-LanguagePack-Package-Wrapper~31bf3856ad364e35~amd64~vi-VN~10.0.22000.37.cat TiWorker.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\amd64_dual_prnms014.inf_31bf3856ad364e35_10.0.22000.37_none_222feb09f06b5aa6\f TiWorker.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\amd64_microsoft-windows-c..red-deployment01110_31bf3856ad364e35_10.0.22000.37_en-us_983995a6124ed828.manifest TiWorker.exe File created C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\$dpx$.tmp\fdc6d83fe5f291478b30e5c4449fca13.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\HyperV-KernelInt-VirtualDevice-Package~31bf3856ad364e35~amd64~~10.0.22000.120.mum svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\Microsoft-Windows-LanguageFeatures-Basic-xh-za-Package-Wrapper~31bf3856ad364e35~amd64~~10.0.22000.100.cat svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\Microsoft-Windows-WinPE-SKU-Foundation-merged-Package~31bf3856ad364e35~amd64~pt-BR~10.0.22000.258.cat svchost.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\amd64_microsoft-windows-appx-deployment-server_31bf3856ad364e35_10.0.22000.51_none_438ed219d2799670\f\ApplyTrustOffline.exe TiWorker.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\amd64_microsoft-windows-s..ies-icelandic-emoji_31bf3856ad364e35_10.0.22000.37_none_b1ac4671fe83192a\f\datamap.040F.dat TiWorker.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\wow64_microsoft-windows-textinputframework_31bf3856ad364e35_10.0.22000.51_none_63c34925b6051955\f TiWorker.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\Composition-Core-merged-Package~31bf3856ad364e35~amd64~zh-TW~10.0.22000.184.mum svchost.exe File created C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\$dpx$.tmp\94d4ebfe8267604a9c5d9e41ddc73eea.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\Multimedia-AudioCore-Package~31bf3856ad364e35~amd64~~10.0.22000.120.mum svchost.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~tr-TR~10.0.22000.37.cat TiWorker.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\Microsoft-Windows-Composable-Switcher-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.258.cat svchost.exe File created C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\$dpx$.tmp\645606dc8051b744915beb8ee1636274.tmp svchost.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\amd64_microsoft-windows-s..t-sku-coren-license_31bf3856ad364e35_10.0.22000.41_none_5798d1945eecfc30\f\CoreN-OEM-NONSLP-1-pl-rtm.xrm-ms TiWorker.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\Microsoft-NanoServer-SPB-Devices-Package~31bf3856ad364e35~amd64~sv-SE~10.0.22000.37.mum TiWorker.exe File created C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\$dpx$.tmp\b6440820e430ce44bb65220005af2b07.tmp svchost.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\amd64_microsoft-windows-securestartup-service_31bf3856ad364e35_10.0.22000.41_none_46e53612c0e92204.manifest TiWorker.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\wow64_microsoft-windows-n..orking-connectivity_31bf3856ad364e35_10.0.22000.71_none_1f0f69127696eb44.manifest svchost.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\amd64_microsoft-textinput..ndsdomain-datafiles_31bf3856ad364e35_10.0.22000.37_none_b259d4c82c91b561\f\ChsPinyinDM15.lex TiWorker.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\Microsoft-Windows-Client-Desktop-Required-Package01~31bf3856ad364e35~amd64~hr-HR~10.0.22000.51.mum TiWorker.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\Microsoft-Media-Foundation-Package~31bf3856ad364e35~amd64~pt-BR~10.0.22000.184.mum svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\Microsoft-OneCore-CoreSystem-Core-Package~31bf3856ad364e35~amd64~sk-SK~10.0.22000.184.cat svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\Microsoft-Windows-Composition-Package~31bf3856ad364e35~amd64~en-GB~10.0.22000.184.cat svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\amd64_winpe-srt-package-t..keyboard-deployment_31bf3856ad364e35_10.0.22000.71_none_82b360a13fd8c64f.manifest svchost.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\wow64_microsoft-windows-runtime-metadata_31bf3856ad364e35_10.0.22000.41_none_1d8667a6580c4481.manifest TiWorker.exe File created C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\$dpx$.tmp\fb47e16e8af2e54289b0b9f65b5df4fe.tmp svchost.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\Microsoft-Windows-HVSI-Package~31bf3856ad364e35~amd64~en-GB~10.0.22000.37.cat TiWorker.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\microsoft-windows-languagefeatures-basic-az-latn-az-package-Wrapper~31bf3856ad364e35~amd64~~10.0.22000.37.cat TiWorker.exe File created C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\$dpx$.tmp\9357b56d588f8c418e2962c9d13d4937.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\Microsoft-Windows-Client-Desktop-Required-Package0111~31bf3856ad364e35~amd64~de-DE~10.0.22000.258.cat svchost.exe File created C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\$dpx$.tmp\df5eb35049ed5a41b1f208bed79b54ca.tmp svchost.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~fr-CA~10.0.22000.37.mum TiWorker.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\Microsoft-Windows-Server-LanguagePack-Package-Wrapper~31bf3856ad364e35~amd64~pt-BR~10.0.22000.51.cat TiWorker.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\amd64_microsoft-windows-propsys.resources_31bf3856ad364e35_7.0.22000.184_fr-fr_95b70d765591019a.manifest svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\Microsoft-Windows-LanguageFeatures-Basic-lo-la-Package~31bf3856ad364e35~amd64~~10.0.22000.100.mum svchost.exe File created C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\$dpx$.tmp\4908aa2cdbc0eb46a54ae8a0aa5a2b75.tmp svchost.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\Composition-Core-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.37.cat TiWorker.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\amd64_microsoft-windows-f..oyment-languagepack_31bf3856ad364e35_10.0.22000.120_ro-ro_c3610df5095f471b.manifest svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\Microsoft-Windows-CoreSystem-BootableSKU-Drivers-Package~31bf3856ad364e35~amd64~~10.0.22000.258.mum svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6ed94664d5b0b3551f748d997d58e053\metadata\Windows10.0-KB5006674-x64\Microsoft-Windows-ImageBasedSetup-Media-Package~31bf3856ad364e35~amd64~th-TH~10.0.22000.132.cat svchost.exe File opened for modification C:\Windows\Servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.51.1.0\amd64_microsoft-windows-taskbarcpl.resources_31bf3856ad364e35_10.0.22000.37_id-id_dd3db4352c0b0122\f\taskbarcpl.dll.mui TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 5808 6092 WerFault.exe 305 -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{104ea319-6ee2-4701-bd47-8ddbf425bbe5}\0003 SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0025 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Phantom svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{104ea319-6ee2-4701-bd47-8ddbf425bbe5}\0003 SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Phantom svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\001B svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{104ea319-6ee2-4701-bd47-8ddbf425bbe5}\0002 SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0025 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0018 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ SystemSettings.exe -
Checks processor information in registry 2 TTPs 13 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier SystemSettings.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz SystemSettings.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key opened \REGISTRY\MACHINE\Hardware\description\system\centralprocessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 SystemSettings.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier SystemSettings.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SystemSettings.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe -
Enumerates system info in registry 2 TTPs 11 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer SystemSettings.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS SystemSettings.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" SecurityHealthService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" SecurityHealthService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2" svchost.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.Default\Software\Microsoft\IdentityCRL\WnfLastTimeStamps svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02lrqqzjiojuqmiq\DeviceId = "<Data LastUpdatedTime=\"1626948653\"><User username=\"02LRQQZJIOJUQMIQ\"><HardwareInfo BoundTime=\"1626948652\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe -
Modifies registry class 38 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{90E52E21-F4FC-4AFA-9686-474F701E8388}\InProcServer32\ThreadingModel = "Both" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{640A228D-5EA3-4F94-BDF5-2B5636CB1CEC} svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{FA5FC48C-B2FD-4DD9-B523-280119E45BDF} svchost.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID wuauclt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{90E52E21-F4FC-4AFA-9686-474F701E8388}\InProcServer32 wuauclt.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{FA5FC48C-B2FD-4DD9-B523-280119E45BDF} svchost.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB619A4B-6033-4237-B03A-940112B57D71} svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{90E52E21-F4FC-4AFA-9686-474F701E8388}\InProcServer32 wuauclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{90E52E21-F4FC-4AFA-9686-474F701E8388}\InProcServer32\ThreadingModel = "Both" wuauclt.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB619A4B-6033-4237-B03A-940112B57D71} svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4CD91A99-11EF-4071-B585-C9B9F672B47F} svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{90E52E21-F4FC-4AFA-9686-474F701E8388} svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{90E52E21-F4FC-4AFA-9686-474F701E8388}\InProcServer32 svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{640A228D-5EA3-4F94-BDF5-2B5636CB1CEC}\RunAs = "nt authority\\system" svchost.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID wuauclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{90E52E21-F4FC-4AFA-9686-474F701E8388}\InProcServer32\ThreadingModel = "Both" wuauclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB619A4B-6033-4237-B03A-940112B57D71}\AppID = "{640A228D-5EA3-4F94-BDF5-2B5636CB1CEC}" svchost.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{90E52E21-F4FC-4AFA-9686-474F701E8388} wuauclt.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP MRT.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32 MRT.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{640A228D-5EA3-4F94-BDF5-2B5636CB1CEC} svchost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{1CA3D98C-B216-4B50-882D-D3F357DADF40} SystemSettings.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\MuiCache ShellExperienceHost.exe Key created \REGISTRY\MACHINE\Software\Classes\AppID svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{90E52E21-F4FC-4AFA-9686-474F701E8388}\InProcServer32\ = "C:\\Windows\\SYSTEM32\\UpdateDeploy.dll" wuauclt.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP MRT.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{FA5FC48C-B2FD-4DD9-B523-280119E45BDF}\RunAs = "nt authority\\system" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{90E52E21-F4FC-4AFA-9686-474F701E8388}\InProcServer32\ = "C:\\Windows\\SYSTEM32\\UpdateDeploy.dll" wuauclt.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4CD91A99-11EF-4071-B585-C9B9F672B47F} svchost.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{90E52E21-F4FC-4AFA-9686-474F701E8388} wuauclt.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP MRT.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4CD91A99-11EF-4071-B585-C9B9F672B47F}\AppID = "{FA5FC48C-B2FD-4DD9-B523-280119E45BDF}" svchost.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{90E52E21-F4FC-4AFA-9686-474F701E8388} wuauclt.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{90E52E21-F4FC-4AFA-9686-474F701E8388} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{90E52E21-F4FC-4AFA-9686-474F701E8388}\InProcServer32\ = "C:\\Windows\\SYSTEM32\\UpdateDeploy.dll" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{90E52E21-F4FC-4AFA-9686-474F701E8388} wuauclt.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2840 reg.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 564 taskhsvc.exe 564 taskhsvc.exe 564 taskhsvc.exe 564 taskhsvc.exe 564 taskhsvc.exe 564 taskhsvc.exe 3840 SystemSettings.exe 3840 SystemSettings.exe 4136 Windows-KB890830-x64-V5.94.exe 4136 Windows-KB890830-x64-V5.94.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 1824 MRT.exe 5408 msedge.exe 5408 msedge.exe 3196 msedge.exe 3196 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3196 msedge.exe 3196 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSystemtimePrivilege 4700 svchost.exe Token: SeSystemtimePrivilege 4700 svchost.exe Token: SeIncBasePriorityPrivilege 4700 svchost.exe Token: SeShutdownPrivilege 2524 svchost.exe Token: SeCreatePagefilePrivilege 2524 svchost.exe Token: SeShutdownPrivilege 2524 svchost.exe Token: SeCreatePagefilePrivilege 2524 svchost.exe Token: SeShutdownPrivilege 2524 svchost.exe Token: SeCreatePagefilePrivilege 2524 svchost.exe Token: SeShutdownPrivilege 2260 svchost.exe Token: SeCreatePagefilePrivilege 2260 svchost.exe Token: SeTakeOwnershipPrivilege 1428 WaaSMedicAgent.exe Token: SeSecurityPrivilege 1428 WaaSMedicAgent.exe Token: SeRestorePrivilege 1428 WaaSMedicAgent.exe Token: SeBackupPrivilege 1428 WaaSMedicAgent.exe Token: SeShutdownPrivilege 2524 svchost.exe Token: SeCreatePagefilePrivilege 2524 svchost.exe Token: SeIncreaseQuotaPrivilege 4828 WMIC.exe Token: SeSecurityPrivilege 4828 WMIC.exe Token: SeTakeOwnershipPrivilege 4828 WMIC.exe Token: SeLoadDriverPrivilege 4828 WMIC.exe Token: SeSystemProfilePrivilege 4828 WMIC.exe Token: SeSystemtimePrivilege 4828 WMIC.exe Token: SeProfSingleProcessPrivilege 4828 WMIC.exe Token: SeIncBasePriorityPrivilege 4828 WMIC.exe Token: SeCreatePagefilePrivilege 4828 WMIC.exe Token: SeBackupPrivilege 4828 WMIC.exe Token: SeRestorePrivilege 4828 WMIC.exe Token: SeShutdownPrivilege 4828 WMIC.exe Token: SeDebugPrivilege 4828 WMIC.exe Token: SeSystemEnvironmentPrivilege 4828 WMIC.exe Token: SeRemoteShutdownPrivilege 4828 WMIC.exe Token: SeUndockPrivilege 4828 WMIC.exe Token: SeManageVolumePrivilege 4828 WMIC.exe Token: 33 4828 WMIC.exe Token: 34 4828 WMIC.exe Token: 35 4828 WMIC.exe Token: 36 4828 WMIC.exe Token: SeIncreaseQuotaPrivilege 4828 WMIC.exe Token: SeSecurityPrivilege 4828 WMIC.exe Token: SeTakeOwnershipPrivilege 4828 WMIC.exe Token: SeLoadDriverPrivilege 4828 WMIC.exe Token: SeSystemProfilePrivilege 4828 WMIC.exe Token: SeSystemtimePrivilege 4828 WMIC.exe Token: SeProfSingleProcessPrivilege 4828 WMIC.exe Token: SeIncBasePriorityPrivilege 4828 WMIC.exe Token: SeCreatePagefilePrivilege 4828 WMIC.exe Token: SeBackupPrivilege 4828 WMIC.exe Token: SeRestorePrivilege 4828 WMIC.exe Token: SeShutdownPrivilege 4828 WMIC.exe Token: SeDebugPrivilege 4828 WMIC.exe Token: SeSystemEnvironmentPrivilege 4828 WMIC.exe Token: SeRemoteShutdownPrivilege 4828 WMIC.exe Token: SeUndockPrivilege 4828 WMIC.exe Token: SeManageVolumePrivilege 4828 WMIC.exe Token: 33 4828 WMIC.exe Token: 34 4828 WMIC.exe Token: 35 4828 WMIC.exe Token: 36 4828 WMIC.exe Token: SeBackupPrivilege 2052 vssvc.exe Token: SeRestorePrivilege 2052 vssvc.exe Token: SeAuditPrivilege 2052 vssvc.exe Token: SeTcbPrivilege 4016 taskse.exe Token: SeTcbPrivilege 4016 taskse.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3840 SystemSettings.exe 3196 msedge.exe -
Suspicious use of SetWindowsHookEx 43 IoCs
pid Process 2248 @[email protected] 3960 @[email protected] 2248 @[email protected] 3960 @[email protected] 4288 @[email protected] 4288 @[email protected] 4012 @[email protected] 2796 @[email protected] 4992 @[email protected] 2388 @[email protected] 4572 @[email protected] 3200 @[email protected] 4348 @[email protected] 4072 @[email protected] 3928 @[email protected] 3840 SystemSettings.exe 4464 @[email protected] 2848 @[email protected] 3236 osk.exe 3840 SystemSettings.exe 3236 osk.exe 3236 osk.exe 3236 osk.exe 3840 SystemSettings.exe 3840 SystemSettings.exe 3840 SystemSettings.exe 5024 @[email protected] 4272 @[email protected] 4156 MiniSearchHost.exe 2208 @[email protected] 2024 @[email protected] 4876 SystemSettingsAdminFlows.exe 4292 @[email protected] 3420 @[email protected] 3832 @[email protected] 1516 SecHealthUI.exe 5288 @[email protected] 5488 @[email protected] 6068 @[email protected] 5276 @[email protected] 3684 ShellExperienceHost.exe 3684 ShellExperienceHost.exe 3684 ShellExperienceHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4140 wrote to memory of 3968 4140 important.exe 83 PID 4140 wrote to memory of 3968 4140 important.exe 83 PID 4140 wrote to memory of 3968 4140 important.exe 83 PID 4140 wrote to memory of 3160 4140 important.exe 84 PID 4140 wrote to memory of 3160 4140 important.exe 84 PID 4140 wrote to memory of 3160 4140 important.exe 84 PID 4140 wrote to memory of 416 4140 important.exe 92 PID 4140 wrote to memory of 416 4140 important.exe 92 PID 4140 wrote to memory of 416 4140 important.exe 92 PID 4140 wrote to memory of 4984 4140 important.exe 93 PID 4140 wrote to memory of 4984 4140 important.exe 93 PID 4140 wrote to memory of 4984 4140 important.exe 93 PID 4984 wrote to memory of 2772 4984 cmd.exe 95 PID 4984 wrote to memory of 2772 4984 cmd.exe 95 PID 4984 wrote to memory of 2772 4984 cmd.exe 95 PID 2260 wrote to memory of 3344 2260 svchost.exe 97 PID 2260 wrote to memory of 3344 2260 svchost.exe 97 PID 4140 wrote to memory of 2024 4140 important.exe 101 PID 4140 wrote to memory of 2024 4140 important.exe 101 PID 4140 wrote to memory of 2024 4140 important.exe 101 PID 4140 wrote to memory of 2248 4140 important.exe 102 PID 4140 wrote to memory of 2248 4140 important.exe 102 PID 4140 wrote to memory of 2248 4140 important.exe 102 PID 4140 wrote to memory of 4148 4140 important.exe 103 PID 4140 wrote to memory of 4148 4140 important.exe 103 PID 4140 wrote to memory of 4148 4140 important.exe 103 PID 4148 wrote to memory of 3960 4148 cmd.exe 105 PID 4148 wrote to memory of 3960 4148 cmd.exe 105 PID 4148 wrote to memory of 3960 4148 cmd.exe 105 PID 2248 wrote to memory of 564 2248 @[email protected] 107 PID 2248 wrote to memory of 564 2248 @[email protected] 107 PID 2248 wrote to memory of 564 2248 @[email protected] 107 PID 3960 wrote to memory of 1268 3960 @[email protected] 112 PID 3960 wrote to memory of 1268 3960 @[email protected] 112 PID 3960 wrote to memory of 1268 3960 @[email protected] 112 PID 1268 wrote to memory of 4828 1268 cmd.exe 115 PID 1268 wrote to memory of 4828 1268 cmd.exe 115 PID 1268 wrote to memory of 4828 1268 cmd.exe 115 PID 4140 wrote to memory of 4016 4140 important.exe 118 PID 4140 wrote to memory of 4016 4140 important.exe 118 PID 4140 wrote to memory of 4016 4140 important.exe 118 PID 4140 wrote to memory of 4288 4140 important.exe 119 PID 4140 wrote to memory of 4288 4140 important.exe 119 PID 4140 wrote to memory of 4288 4140 important.exe 119 PID 4140 wrote to memory of 2388 4140 important.exe 120 PID 4140 wrote to memory of 2388 4140 important.exe 120 PID 4140 wrote to memory of 2388 4140 important.exe 120 PID 2388 wrote to memory of 2840 2388 cmd.exe 122 PID 2388 wrote to memory of 2840 2388 cmd.exe 122 PID 2388 wrote to memory of 2840 2388 cmd.exe 122 PID 4140 wrote to memory of 3316 4140 important.exe 123 PID 4140 wrote to memory of 3316 4140 important.exe 123 PID 4140 wrote to memory of 3316 4140 important.exe 123 PID 4140 wrote to memory of 1240 4140 important.exe 131 PID 4140 wrote to memory of 1240 4140 important.exe 131 PID 4140 wrote to memory of 1240 4140 important.exe 131 PID 4140 wrote to memory of 4012 4140 important.exe 132 PID 4140 wrote to memory of 4012 4140 important.exe 132 PID 4140 wrote to memory of 4012 4140 important.exe 132 PID 4140 wrote to memory of 4728 4140 important.exe 133 PID 4140 wrote to memory of 4728 4140 important.exe 133 PID 4140 wrote to memory of 4728 4140 important.exe 133 PID 4140 wrote to memory of 2880 4140 important.exe 134 PID 4140 wrote to memory of 2880 4140 important.exe 134 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3968 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3220
-
C:\Users\Admin\AppData\Local\Temp\important.exe"C:\Users\Admin\AppData\Local\Temp\important.exe"2⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\attrib.exeattrib +h .3⤵
- Views/modifies file attributes
PID:3968
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
PID:3160
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:416
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 44941634615933.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs4⤵PID:2772
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:2024
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:564
-
-
-
C:\Windows\SysWOW64\cmd.exePID:4148
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet5⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4016
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:4288
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "kovazmlfyf099" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "kovazmlfyf099" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f4⤵
- Adds Run key to start application
- Modifies registry key
PID:2840
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:3316
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1240
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4012
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:4728
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2880
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:3336
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:4020
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4992
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:4012
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:4728
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2388
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:656
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2888
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4572
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:1468
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:4148
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3200
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:3476
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:580
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4348
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:1048
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2092
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4072
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:4152
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3424
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3928
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:5028
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:4568
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4464
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:4664
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:2008
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2848
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:780
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:4332
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:5024
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:4964
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:400
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4272
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:1268
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:580
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2208
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:1324
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3588
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2024
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:3836
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1324
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4292
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:960
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1608
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3420
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:1632
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3832
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:5036
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:4088
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:5280
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:5288
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵PID:5316
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:5488
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:5480
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵PID:5508
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:6060
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:6068
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵PID:6088
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1328
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:5276
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵PID:5344
-
-
-
C:\Windows\System32\ATBroker.exeC:\Windows\System32\ATBroker.exe /start osk2⤵PID:1192
-
C:\Windows\System32\osk.exe"C:\Windows\System32\osk.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:3236
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:3196 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f39b46f8,0x7ff9f39b4708,0x7ff9f39b47183⤵PID:2600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,15367757550942348133,5703298767447954221,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2272 /prefetch:23⤵PID:5516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,15367757550942348133,5703298767447954221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:5408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,15367757550942348133,5703298767447954221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:83⤵PID:3252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15367757550942348133,5703298767447954221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:13⤵PID:3924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15367757550942348133,5703298767447954221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:13⤵PID:1384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,15367757550942348133,5703298767447954221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:83⤵PID:5100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,15367757550942348133,5703298767447954221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:83⤵PID:2804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15367757550942348133,5703298767447954221,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:13⤵PID:5920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15367757550942348133,5703298767447954221,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1672 /prefetch:13⤵PID:6108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15367757550942348133,5703298767447954221,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:13⤵PID:2128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15367757550942348133,5703298767447954221,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2848 /prefetch:13⤵PID:4628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15367757550942348133,5703298767447954221,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2472 /prefetch:13⤵PID:1012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2080,15367757550942348133,5703298767447954221,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6128 /prefetch:83⤵PID:5708
-
-
-
C:\Windows\system32\NOTEPAD.EXEPID:2528
-
-
C:\Users\Admin\Desktop\@[email protected]PID:6092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 8403⤵
- Program crash
PID:5808
-
-
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.DeviceManager2⤵PID:4464
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc3⤵PID:2976
-
-
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3044
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" RemoteDesktopTurnOnRdp2⤵
- Suspicious use of SetWindowsHookEx
PID:4876
-
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" RemoteDesktopSelectUsers2⤵PID:4904
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
C:\Windows\System32\Upfc.exeC:\Windows\System32\Upfc.exe /launchtype periodic /cv AxKuNvVafk+LEI7FoaNlrQ.01⤵PID:4644
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:4680
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv Fcn7GmHlCkm4eJ2C0jMRoQ.0.21⤵PID:2088
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4768
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe da974030b195e4c1516e78812cc59f01 Fcn7GmHlCkm4eJ2C0jMRoQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Windows\system32\wuauclt.exe"C:\Windows\system32\wuauclt.exe" /DeploymentHandlerFullPath C:\Windows\SYSTEM32\UpdateDeploy.dll /ClassId bb619a4b-6033-4237-b03a-940112b57d71 /RunHandlerComServer2⤵
- Modifies registry class
PID:1240 -
C:\Windows\SoftwareDistribution\Download\Install\Windows-KB890830-x64-V5.94.exe"C:\Windows\SoftwareDistribution\Download\Install\Windows-KB890830-x64-V5.94.exe" /Q /W3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4136 -
C:\Windows\system32\MRT.exe"C:\Windows\system32\MRT.exe" /Q /W4⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1824
-
-
-
-
C:\Windows\system32\wuauclt.exe"C:\Windows\system32\wuauclt.exe" /DeploymentHandlerFullPath C:\Windows\SYSTEM32\UpdateDeploy.dll /ClassId 4cd91a99-11ef-4071-b585-c9b9f672b47f /RunHandlerComServer2⤵
- Modifies registry class
PID:5404
-
-
C:\Windows\system32\wuauclt.exe"C:\Windows\system32\wuauclt.exe" /DeploymentHandlerFullPath C:\Windows\SYSTEM32\UpdateDeploy.dll /ClassId 81eea947-f8f1-4f3c-b81f-9ddc72faf579 /RunHandlerComServer2⤵PID:2616
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵PID:3344
-
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵PID:3584
-
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵PID:4536
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe da974030b195e4c1516e78812cc59f01 Fcn7GmHlCkm4eJ2C0jMRoQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
PID:3988
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3240
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\4F08FD0C-6677-4299-B659-0F77350F0006\dismhost.exeC:\Users\Admin\AppData\Local\Temp\4F08FD0C-6677-4299-B659-0F77350F0006\dismhost.exe {B940C4D1-A6C6-40F6-AE7B-D1DA58CDA4CD}2⤵
- Loads dropped DLL
PID:5928
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc1⤵PID:4748
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵PID:3300
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:1476
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
PID:2184 -
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20210726043614.log C:\Windows\Logs\CBS\CbsPersist_20210726043614.cab2⤵PID:3680
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:52⤵PID:1100
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\Ngen.exe Update /Queue /Delay2⤵PID:5056
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe Update /Queue /Delay2⤵PID:4784
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4156
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:1548
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:2420
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:3624
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:3364
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:3588
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:3928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:408
-
C:\Windows\system32\SecurityHealthService.exeC:\Windows\system32\SecurityHealthService.exe1⤵
- Modifies data under HKEY_USERS
PID:2968
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:1564
-
C:\Program Files\WindowsApps\Microsoft.SecHealthUI_1000.22000.1.0_neutral__8wekyb3d8bbwe\SecHealthUI.exe"C:\Program Files\WindowsApps\Microsoft.SecHealthUI_1000.22000.1.0_neutral__8wekyb3d8bbwe\SecHealthUI.exe" -ServerName:SecHealthUI.AppX8tam42xc7v2czs3s1nt0nkxvfjtepzp9.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1516
-
C:\Windows\System32\SecurityHealthHost.exe\\?\C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵PID:3168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
- Modifies data under HKEY_USERS
PID:5168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k WbioSvcGroup -s WbioSrvc1⤵
- Drops file in System32 directory
PID:5196
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:5572
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc1⤵PID:3116
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:5352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
PID:6032
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:1364
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:2304
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:3000
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.147.37\MicrosoftEdgeUpdateBroker.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.147.37\MicrosoftEdgeUpdateBroker.exe" -Embedding1⤵PID:3356
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /broker2⤵PID:3492
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe" -Embedding1⤵PID:5160
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ondemand2⤵PID:1216
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.147.37\MicrosoftEdgeUpdateBroker.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.147.37\MicrosoftEdgeUpdateBroker.exe" -Embedding1⤵PID:5740
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /broker2⤵PID:5480
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe" -Embedding1⤵PID:1472
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ondemand2⤵PID:5560
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:672
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play "C:\Users\Admin\Desktop\@[email protected]"2⤵PID:5336
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play "C:\Users\Admin\Desktop\@[email protected]"3⤵PID:4912
-
C:\Windows\SysWOW64\unregmp2.exeC:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary4⤵PID:5064
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT5⤵PID:3832
-
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play "C:\Users\Admin\Desktop\@[email protected]"4⤵PID:6044
-
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon3⤵PID:3276
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT4⤵PID:4024
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵PID:5240
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:4616
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵PID:3168
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5900
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6092 -ip 60921⤵PID:2324
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵PID:5656
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:4324
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39b8055 /state1:0x41c64e6d1⤵PID:1948
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:3424
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.190_none_0478e2b34cb0bdc3\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.190_none_0478e2b34cb0bdc3\TiWorker.exe -Embedding1⤵PID:5112
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Disabling Security Tools
2File Deletion
1File and Directory Permissions Modification
1Hidden Files and Directories
1Modify Registry
6