ryuk | 88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5

Analysis

max time kernel
173s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
Size

190KB
MD5

e8c26344b4adb62a9a42cf6480c88d05
SHA1

41f926e43e9686382f8c84da42880c47999645fb
SHA256

88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5
SHA512

287c49f05e2a9928c98986130e875af96d2690097ce00780bbd51034a1a5396c56d20e90ca267f8eb79c440d9b2cbf44e0082910807d934c5edad036d6277d2f

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 4816 created 2904	4816	WerFault.exe	21
PID 5008 created 3580	5008	WerFault.exe	7
PID 4996 created 2744	4996	WerFault.exe	23

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4824	2744	WerFault.exe	23
5796	3580	WerFault.exe	7
5808	2744	WerFault.exe	23
5828	2904	WerFault.exe	21

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f1d358a-f0cf-486d- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abf84b93-a970-4e94-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abf84b93-a970-4e94- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e2ad002f-01cf-4770- = c71d22e52326d801	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e2ad002f-01cf-4770- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f1d358a-f0cf-486d- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3601b870d48ceb7579abcab9f303901675a24e8675f2f82fcf456e9d697fc282"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2f277b11-1ca2-428f- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2f277b11-1ca2-428f- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f1d358a-f0cf-486d- = 13a44be62326d801	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f1d358a-f0cf-486d- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e2ad002f-01cf-4770-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e2ad002f-01cf-4770- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e2ad002f-01cf-4770- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\f1de2112a781cf82df7a8a7763adecc678f6c395f22b664cfcf2dd8d2c0eab0c"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f1d358a-f0cf-486d-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f43dbe1-0abe-4ec4-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2f277b11-1ca2-428f- = c7684be92326d801	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e2ad002f-01cf-4770-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abf84b93-a970-4e94-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f43dbe1-0abe-4ec4-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f43dbe1-0abe-4ec4- = 2f7ed2e82326d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f43dbe1-0abe-4ec4- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\87d7637bc207a81bdc50fd6c4b9162b8de395cd65525d1f68df3e641fa9d1c17"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2f277b11-1ca2-428f-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2f277b11-1ca2-428f-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abf84b93-a970-4e94- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000c0fe93c72326d801279ec4de2326d801279ec4de2326d801c0bb0b000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000545430342000393434363962376337323836316637653064633932353537393233353030636363313366376334646533323363616264316234646162323035666133643763660000b20009000400efbe54543034545430342e00000000000000000000000000000000000000000000000000b6f9ff00390034003400360039006200370063003700320038003600310066003700650030006400630039003200350035003700390032003300350030003000630063006300310033006600370063003400640065003300320033006300610062006400310062003400640061006200320030003500660061003300640037006300660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000dfba3e1e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39343436396237633732383631663765306463393235353739323335303063636331336637633464653332336361626431623464616232303566613364376366000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6172e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6172e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e2ad002f-01cf-4770- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f1d358a-f0cf-486d- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000fc2a3ec72326d801610f45da2326d801610f45da2326d801e5ef07000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000545430342000333630316238373064343863656237353739616263616239663330333930313637356132346538363735663266383266636634353665396436393766633238320000b20009000400efbe54543034545430342e00000000000000000000000000000000000000000000000000dae8cd00330036003000310062003800370030006400340038006300650062003700350037003900610062006300610062003900660033003000330039003000310036003700350061003200340065003800360037003500660032006600380032006600630066003400350036006500390064003600390037006600630032003800320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000dfba3e1e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33363031623837306434386365623735373961626361623966333033393031363735613234653836373566326638326663663435366539643639376663323832000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60e2e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d60e2e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abf84b93-a970-4e94- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f43dbe1-0abe-4ec4- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abf84b93-a970-4e94- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abf84b93-a970-4e94- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\94469b7c72861f7e0dc92557923500ccc13f7c4de323cabd1b4dab205fa3d7cf"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f1d358a-f0cf-486d- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f43dbe1-0abe-4ec4- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2f277b11-1ca2-428f- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abf84b93-a970-4e94- = 57dfb2eb2326d801	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e2ad002f-01cf-4770- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000029768ac72326d801204019db2326d801204019db2326d80190fd0b000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000545430342000663164653231313261373831636638326466376138613737363361646563633637386636633339356632326236363463666366326464386432633065616230630000b20009000400efbe54543034545430342e00000000000000000000000000000000000000000000000000d1210701660031006400650032003100310032006100370038003100630066003800320064006600370061003800610037003700360033006100640065006300630036003700380066003600630033003900350066003200320062003600360034006300660063006600320064006400380064003200630030006500610062003000630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000dfba3e1e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66316465323131326137383163663832646637613861373736336164656363363738663663333935663232623636346366636632646438643263306561623063000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60d2e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d60d2e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f1d358a-f0cf-486d-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2f277b11-1ca2-428f- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\986c937cba011afe270827ad7153a4fc7500b99715f4f31bd930ef76e2e1b462"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2f277b11-1ca2-428f- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000615083c72326d801e326edde2326d801e326edde2326d801c4730e000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000545430342000393836633933376362613031316166653237303832376164373135336134666337353030623939373135663466333162643933306566373665326531623436320000b20009000400efbe54543034545430342e000000000000000000000000000000000000000000000000006d98de00390038003600630039003300370063006200610030003100310061006600650032003700300038003200370061006400370031003500330061003400660063003700350030003000620039003900370031003500660034006600330031006200640039003300300065006600370036006500320065003100620034003600320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000dfba3e1e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39383663393337636261303131616665323730383237616437313533613466633735303062393937313566346633316264393330656637366532653162343632000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6162e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6162e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f43dbe1-0abe-4ec4- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f43dbe1-0abe-4ec4- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000004b6458c72326d801a37a14db2326d801a37a14db2326d801054a10000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000545430342000383764373633376263323037613831626463353066643663346239313632623864653339356364363535323564316636386466336536343166613964316331370000b20009000400efbe54543034545430342e00000000000000000000000000000000000000000000000000b447ef00380037006400370036003300370062006300320030003700610038003100620064006300350030006600640036006300340062003900310036003200620038006400650033003900350063006400360035003500320035006400310066003600380064006600330065003600340031006600610039006400310063003100370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000dfba3e1e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38376437363337626332303761383162646335306664366334623931363262386465333935636436353532356431663638646633653634316661396431633137000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6152e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6152e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
2228	sihost.exe
2228	sihost.exe
3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
2228	sihost.exe
2228	sihost.exe
3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
5796	WerFault.exe
5796	WerFault.exe
5828	WerFault.exe
5828	WerFault.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
Token: SeBackupPrivilege	2228	sihost.exe
Token: SeBackupPrivilege	2904	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	3580	backgroundTaskHost.exe
Token: SeBackupPrivilege	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 2228	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	28
PID 3748 wrote to memory of 2244	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	27
PID 3748 wrote to memory of 2296	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	26
PID 3748 wrote to memory of 2528	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	24
PID 3748 wrote to memory of 2744	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	23
PID 3748 wrote to memory of 2904	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	21
PID 3748 wrote to memory of 2984	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	20
PID 3748 wrote to memory of 3064	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	19
PID 3748 wrote to memory of 2628	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	18
PID 3748 wrote to memory of 3324	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	16
PID 3748 wrote to memory of 2572	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	13
PID 3748 wrote to memory of 1648	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	8
PID 3748 wrote to memory of 3580	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	7
PID 2744 wrote to memory of 4824	2744	DllHost.exe	61
PID 2744 wrote to memory of 4824	2744	DllHost.exe	61
PID 2228 wrote to memory of 1012	2228	sihost.exe	66
PID 2228 wrote to memory of 1012	2228	sihost.exe	66
PID 2228 wrote to memory of 5196	2228	sihost.exe	69
PID 2228 wrote to memory of 5196	2228	sihost.exe	69
PID 3748 wrote to memory of 5320	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	71
PID 3748 wrote to memory of 5320	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	71
PID 3748 wrote to memory of 5328	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	72
PID 3748 wrote to memory of 5328	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	72
PID 1012 wrote to memory of 5396	1012	net.exe	75
PID 1012 wrote to memory of 5396	1012	net.exe	75
PID 5196 wrote to memory of 5420	5196	net.exe	76
PID 5196 wrote to memory of 5420	5196	net.exe	76
PID 3748 wrote to memory of 5436	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	77
PID 3748 wrote to memory of 5436	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	77
PID 3748 wrote to memory of 5532	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	78
PID 3748 wrote to memory of 5532	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	78
PID 5328 wrote to memory of 5648	5328	net.exe	82
PID 5328 wrote to memory of 5648	5328	net.exe	82
PID 5320 wrote to memory of 5640	5320	net.exe	81
PID 5320 wrote to memory of 5640	5320	net.exe	81
PID 5436 wrote to memory of 5700	5436	net.exe	83
PID 5436 wrote to memory of 5700	5436	net.exe	83
PID 5532 wrote to memory of 5708	5532	net.exe	84
PID 5532 wrote to memory of 5708	5532	net.exe	84
PID 4816 wrote to memory of 2904	4816	WerFault.exe	21
PID 4816 wrote to memory of 2904	4816	WerFault.exe	21
PID 5008 wrote to memory of 3580	5008	WerFault.exe	7
PID 5008 wrote to memory of 3580	5008	WerFault.exe	7
PID 4996 wrote to memory of 2744	4996	WerFault.exe	23
PID 4996 wrote to memory of 2744	4996	WerFault.exe	23
PID 2228 wrote to memory of 5924	2228	sihost.exe	88
PID 2228 wrote to memory of 5924	2228	sihost.exe	88
PID 5924 wrote to memory of 5976	5924	net.exe	90
PID 5924 wrote to memory of 5976	5924	net.exe	90
PID 2228 wrote to memory of 5996	2228	sihost.exe	91
PID 2228 wrote to memory of 5996	2228	sihost.exe	91
PID 5996 wrote to memory of 6048	5996	net.exe	93
PID 5996 wrote to memory of 6048	5996	net.exe	93
PID 3748 wrote to memory of 6104	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	94
PID 3748 wrote to memory of 6104	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	94
PID 6104 wrote to memory of 5216	6104	net.exe	96
PID 6104 wrote to memory of 5216	6104	net.exe	96
PID 3748 wrote to memory of 5084	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	99
PID 3748 wrote to memory of 5084	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	99
PID 3748 wrote to memory of 4860	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	100
PID 3748 wrote to memory of 4860	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	100
PID 3748 wrote to memory of 5484	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	102
PID 3748 wrote to memory of 5484	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	102
PID 4860 wrote to memory of 3512	4860	net.exe	104

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3580
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3580 -s 3180
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:5796

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1648

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2572

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3324

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2628

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3064

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2984

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2904 -s 2780
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:5828

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2744 -s 996
  2⤵
  - Program crash
  PID:4824
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2744 -s 996
  2⤵
  - Program crash
  PID:5808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2528

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2244

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5396
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5196
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5420
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5924
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5976
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6048

C:\Users\Admin\AppData\Local\Temp\88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
"C:\Users\Admin\AppData\Local\Temp\88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5320
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5640
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5648
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5436
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5700
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5708
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5216
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:5084
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2604
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3512
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:5484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5100

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 3580 -ip 3580
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 2744 -ip 2744
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 2904 -ip 2904
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2228-130-0x00007FF6701A0000-0x00007FF670475000-memory.dmp

Filesize
2.8MB

Download
memory/2744-180-0x00000265DB1F0000-0x00000265DB1F1000-memory.dmp

Filesize
4KB

Download
memory/2744-179-0x00000265DB200000-0x00000265DB208000-memory.dmp

Filesize
32KB

Download
memory/2744-195-0x00000265DB2E0000-0x00000265DB2E8000-memory.dmp

Filesize
32KB

Download
memory/2744-196-0x00000265DB100000-0x00000265DB101000-memory.dmp

Filesize
4KB

Download