598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6

Analysis

max time kernel
176s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
01-02-2022 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
Size

66KB
MD5

83059fd8732ea6d7fbff2e717c432fac
SHA1

036cc83046013318b9e8809845a9ef211165ec34
SHA256

598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6
SHA512

b534c892c790dadb14e2abe12c892e1033dddcc695f018d4984e651f14f57022ec92e88c2904b8e3669ae8203b5b7a927a1519482e646978e0d1e4a1c90b2aef

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\UpdateSubmit.tiff	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\ui-strings.js	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-400.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\resources.pri	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AudienceNetwork.winmd	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-400.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_altform-lightunplated.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40_altform-unplated_contrast-black.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80_altform-unplated.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-100.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\SmallLogoDev.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Preview.scale-200_layoutdir-RTL.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-24_altform-unplated.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\View3d\3DViewerProductDescription-universal.xml	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Microsoft.VCLibs.x86.14.00.appx	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\97.0.1072.55\resources.pak	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\ui-strings.js	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\default.vlt	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\README.html	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\TriPeaks.Medium.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\msapp-error.js	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-72.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\97.0.1072.55\MLModels\autofill_labeling_email.ort	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-36_altform-unplated.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\NoProfilePicture.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Hero.jpg	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\ZX______.PFB	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-48.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\app-api.js	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-unplated.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedSplash.scale-100_contrast-black.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\LargeTile.scale-150.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\StoreLogo.scale-400.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-40_altform-unplated.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\thumb_stats_render_smallest.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-100_contrast-white.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-100_contrast-white.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\localhost.crt	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-48.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\ui-strings.js	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\Square71x71Logo.scale-100.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\ui-strings.js	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\GlowInTheDark.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\illustration-UploadToOD.svg	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Studio.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\RotateHorizontally.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\SolitaireLiveTileUpdater.winmd	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.Tile.winmd	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-30.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\ui-strings.js	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedStoreLogo.scale-100_contrast-white.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256_altform-unplated.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\FreeCell.Large.png	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
680	vssadmin.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
Token: SeImpersonatePrivilege	4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
Token: SeShutdownPrivilege	1708	svchost.exe
Token: SeCreatePagefilePrivilege	1708	svchost.exe
Token: SeShutdownPrivilege	1708	svchost.exe
Token: SeCreatePagefilePrivilege	1708	svchost.exe
Token: SeShutdownPrivilege	1708	svchost.exe
Token: SeCreatePagefilePrivilege	1708	svchost.exe
Token: SeBackupPrivilege	396	vssvc.exe
Token: SeRestorePrivilege	396	vssvc.exe
Token: SeAuditPrivilege	396	vssvc.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 680	4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe	91
PID 4896 wrote to memory of 680	4896	598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe	91

C:\Users\Admin\AppData\Local\Temp\598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe
"C:\Users\Admin\AppData\Local\Temp\598d2938b1a8d8e2a03e40d109d1299fe82b72e2d2a6364b6bfabfccdcd729a6.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:680

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe c50c471dbeff2a6038c09ccfd745b49e wK7s7aQ8HUG8VHktXvSVFg.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:3140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1708-130-0x0000026B8B5A0000-0x0000026B8B5B0000-memory.dmp

Filesize
64KB

Download
memory/1708-137-0x0000026B8E980000-0x0000026B8E984000-memory.dmp

Filesize
16KB

Download