ryuk | 0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f

Analysis

max time kernel
175s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
19-02-2022 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
Size

203KB
MD5

ea9759d8023c9f6f269fbd0875561783
SHA1

1c4c718294647cb7df8dae914100394f2668715a
SHA256

0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f
SHA512

2be12260b22224132c27f60c8943303c89210d58b22acc5efce03fb379d912254493df9eee97a7d1777faf7bf5702537331373711690d9621e642cf698140e81

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 5788 created 3884	5788	WerFault.exe
PID 5812 created 2816	5812	WerFault.exe	31
PID 5796 created 2712	5796	WerFault.exe	32

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
5804	2712	WerFault.exe	32
4724	2816	WerFault.exe	31
4740	3884	WerFault.exe
4636	2712	WerFault.exe	32

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899090521310515"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1248b1e8-66aa-4395- = b9c13f257225d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1248b1e8-66aa-4395-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1248b1e8-66aa-4395- = "0"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b3ce122e-0960-4404-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1336f09f-3481-4f5d- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000af3c681a7225d801e1d0b11e7225d801e1d0b11e7225d801259204000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005354b44a2000323435363335623864306634626438663565346466646362613761626362386439323930393630393537303537376133313130633233613463626139323730330000b20009000400efbe5354b44a5354b44a2e000000000000000000000000000000000000000000000000003b2f0800320034003500360033003500620038006400300066003400620064003800660035006500340064006600640063006200610037006100620063006200380064003900320039003000390036003000390035003700300035003700370061003300310031003000630032003300610034006300620061003900320037003000330000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001e49f2501000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32343536333562386430663462643866356534646664636261376162636238643932393039363039353730353737613331313063323361346362613932373033000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d62142cd4a9083ec1182d05e446572696abad9b5dc40371b4eb595e9fc647d27d62142cd4a9083ec1182d05e446572696ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1248b1e8-66aa-4395-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1248b1e8-66aa-4395- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\fc41e1a9abef38935bd0e09bf57e090b5a28ab74d458558a9da50645ff570b56"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a36dbd55-b616-47e9-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c15b5318-ad8f-45cc-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1336f09f-3481-4f5d-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1336f09f-3481-4f5d- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1248b1e8-66aa-4395- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1248b1e8-66aa-4395- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000000ba5641f7225d8013b52751f7225d8013b52751f7225d801df0100000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005354b84a2000666334316531613961626566333839333562643065303962663537653039306235613238616237346434353835353861396461353036343566663537306235360000b20009000400efbe5354b84a5354b84a2e000000000000000000000000000000000000000000000000008e794000660063003400310065003100610039006100620065006600330038003900330035006200640030006500300039006200660035003700650030003900300062003500610032003800610062003700340064003400350038003500350038006100390064006100350030003600340035006600660035003700300062003500360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001e49f2501000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66633431653161396162656633383933356264306530396266353765303930623561323861623734643435383535386139646135303634356666353730623536000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d62542cd4a9083ec1182d05e446572696abad9b5dc40371b4eb595e9fc647d27d62542cd4a9083ec1182d05e446572696ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1336f09f-3481-4f5d-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1336f09f-3481-4f5d- = e75b13247225d801	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1336f09f-3481-4f5d- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1336f09f-3481-4f5d- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\245635b8d0f4bd8f5e4dfdcba7abcb8d92909609570577a3110c23a4cba92703"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1336f09f-3481-4f5d- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1248b1e8-66aa-4395- = "8324"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b250cb68-4211-4c06-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1c43c6fd-894a-4d17-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\005124b3-5e47-4827-	RuntimeBroker.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2204	sihost.exe
2204	sihost.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2204	sihost.exe
2204	sihost.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
4740	WerFault.exe
4740	WerFault.exe
2204	sihost.exe
2204	sihost.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
Token: SeShutdownPrivilege	2948	RuntimeBroker.exe
Token: SeBackupPrivilege	2204	sihost.exe
Token: SeBackupPrivilege	2816	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	3884	Process not Found
Token: SeBackupPrivilege	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2204	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	37
PID 2896 wrote to memory of 2224	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	36
PID 2896 wrote to memory of 2276	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	35
PID 2896 wrote to memory of 2528	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	33
PID 2896 wrote to memory of 2712	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	32
PID 2896 wrote to memory of 2816	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	31
PID 2896 wrote to memory of 2948	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	9
PID 2896 wrote to memory of 3024	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	29
PID 2896 wrote to memory of 2172	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	28
PID 2896 wrote to memory of 3372	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	26
PID 2896 wrote to memory of 2932	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	22
PID 2896 wrote to memory of 996	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	15
PID 2896 wrote to memory of 1724	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	14
PID 2896 wrote to memory of 3884	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
PID 2204 wrote to memory of 4704	2204	sihost.exe	65
PID 2204 wrote to memory of 4704	2204	sihost.exe	65
PID 2896 wrote to memory of 4760	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	71
PID 2896 wrote to memory of 4760	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	71
PID 2896 wrote to memory of 4584	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	70
PID 2896 wrote to memory of 4584	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	70
PID 2204 wrote to memory of 4512	2204	sihost.exe	66
PID 2204 wrote to memory of 4512	2204	sihost.exe	66
PID 2896 wrote to memory of 5328	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	74
PID 2896 wrote to memory of 5328	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	74
PID 2896 wrote to memory of 5336	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	73
PID 2896 wrote to memory of 5336	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	73
PID 2204 wrote to memory of 5348	2204	sihost.exe	75
PID 2204 wrote to memory of 5348	2204	sihost.exe	75
PID 5328 wrote to memory of 5508	5328	net.exe	89
PID 5328 wrote to memory of 5508	5328	net.exe	89
PID 5348 wrote to memory of 5576	5348	net.exe	88
PID 5348 wrote to memory of 5576	5348	net.exe	88
PID 4584 wrote to memory of 5584	4584	net.exe	87
PID 4584 wrote to memory of 5584	4584	net.exe	87
PID 5336 wrote to memory of 5592	5336	net.exe	86
PID 5336 wrote to memory of 5592	5336	net.exe	86
PID 4760 wrote to memory of 5600	4760	net.exe	85
PID 4760 wrote to memory of 5600	4760	net.exe	85
PID 2896 wrote to memory of 5608	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	79
PID 2896 wrote to memory of 5608	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	79
PID 4704 wrote to memory of 5700	4704	net.exe	84
PID 4704 wrote to memory of 5700	4704	net.exe	84
PID 4512 wrote to memory of 5708	4512	net.exe	83
PID 4512 wrote to memory of 5708	4512	net.exe	83
PID 2896 wrote to memory of 5732	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	80
PID 2896 wrote to memory of 5732	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	80
PID 5732 wrote to memory of 6008	5732	net.exe	94
PID 5608 wrote to memory of 6000	5608	net.exe	95
PID 5608 wrote to memory of 6000	5608	net.exe	95
PID 5732 wrote to memory of 6008	5732	net.exe	94
PID 2712 wrote to memory of 5804	2712	DllHost.exe	90
PID 2712 wrote to memory of 5804	2712	DllHost.exe	90
PID 2204 wrote to memory of 5936	2204	sihost.exe	98
PID 2204 wrote to memory of 5936	2204	sihost.exe	98
PID 2896 wrote to memory of 5944	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	103
PID 2896 wrote to memory of 5944	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	103
PID 2896 wrote to memory of 5952	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	102
PID 2896 wrote to memory of 5952	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	102
PID 5936 wrote to memory of 3748	5936	net.exe	104
PID 5936 wrote to memory of 3748	5936	net.exe	104
PID 5944 wrote to memory of 4016	5944	net.exe	105
PID 5944 wrote to memory of 4016	5944	net.exe	105
PID 5952 wrote to memory of 1448	5952	net.exe	106
PID 5952 wrote to memory of 1448	5952	net.exe	106

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1724

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:996

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2932

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3372

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2172

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3024

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2816 -s 2568
  2⤵
  - Program crash
  PID:4724

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2712 -s 1000
  2⤵
  - Program crash
  PID:5804
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2712 -s 1000
  2⤵
  - Program crash
  PID:4636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2528

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2224

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:5700
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5708
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5576
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:3748
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:3872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2596
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:5144
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3736
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  PID:6348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:6544
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:6516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:6728
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:6720
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6924

C:\Users\Admin\AppData\Local\Temp\0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
"C:\Users\Admin\AppData\Local\Temp\0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:5584
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:5600
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5592
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5508
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5608
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6000
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5732
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6008
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:1448
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5944
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:4016
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:3768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5480
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5452
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:5884
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4808
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:6112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2984
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  PID:6376
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:6552
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  PID:6408
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:6528
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:6560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:6792
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:6604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:6772
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:6700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6892
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:6784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6936

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:1400

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 2816 -ip 2816
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 2712 -ip 2712
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3884 -ip 3884
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3884 -s 2528
1⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2204-130-0x00007FF611610000-0x00007FF6119A6000-memory.dmp

Filesize
3.6MB

Download
memory/2224-131-0x00007FF611610000-0x00007FF6119A6000-memory.dmp

Filesize
3.6MB

Download