Analysis
-
max time kernel
196s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
20-02-2022 07:43
Static task
static1
Behavioral task
behavioral1
Sample
493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe
Resource
win10v2004-en-20220112
General
-
Target
493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe
-
Size
170KB
-
MD5
70358de67cd46462293bb07b716674d2
-
SHA1
d2e29a91e5b9b3272f8ac8853277ada2c46fad61
-
SHA256
493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6
-
SHA512
5fb14ef25950ccc356ab230741cf6a8ef075df3b0bc3d47f3aee123978f9f70123fcece69bc990d81d454f5b2e8e7f39a866a1d7d688e911f7a57bcd310cba2a
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3040 created 2828 3040 WerFault.exe StartMenuExperienceHost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe" reg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
sihost.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml sihost.exe File opened for modification C:\Program Files\Common Files\System\ado\msado27.tlb sihost.exe File opened for modification C:\Program Files\Java\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_HK.properties sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_pt_BR.properties sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\local_policy.jar sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCalls.c sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\blacklisted.certs sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_ko.properties sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_TW.properties sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\access-bridge-64.jar sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\ant-javafx.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt sihost.exe File opened for modification C:\Program Files\7-Zip\readme.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\derby_common.bat sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Content.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCallbacks.h sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml sihost.exe File opened for modification C:\Program Files\Common Files\System\ado\it-IT\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\CIEXYZ.pf sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfontj2d.properties sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyclient.jar sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-GB\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml sihost.exe File opened for modification C:\Program Files\Common Files\System\ado\msado20.tlb sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat sihost.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.SF sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VC\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\ct.sym sihost.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 968 2652 WerFault.exe DllHost.exe 4496 2828 WerFault.exe StartMenuExperienceHost.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.250000" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899972064290966" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4052" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.851775" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4296" svchost.exe -
Modifies registry class 2 IoCs
Processes:
RuntimeBroker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System RuntimeBroker.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exeWerFault.exeWerFault.exepid process 1600 493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe 1600 493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe 4496 WerFault.exe 4496 WerFault.exe 968 WerFault.exe 968 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exedescription pid process Token: SeDebugPrivilege 1600 493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.execmd.exeDllHost.exeWerFault.exedescription pid process target process PID 1600 wrote to memory of 1012 1600 493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe cmd.exe PID 1600 wrote to memory of 1012 1600 493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe cmd.exe PID 1600 wrote to memory of 2140 1600 493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe sihost.exe PID 1012 wrote to memory of 2196 1012 cmd.exe reg.exe PID 1012 wrote to memory of 2196 1012 cmd.exe reg.exe PID 1600 wrote to memory of 2160 1600 493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe svchost.exe PID 1600 wrote to memory of 2208 1600 493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe taskhostw.exe PID 1600 wrote to memory of 2456 1600 493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe svchost.exe PID 1600 wrote to memory of 2652 1600 493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe DllHost.exe PID 1600 wrote to memory of 2828 1600 493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe StartMenuExperienceHost.exe PID 1600 wrote to memory of 3000 1600 493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe RuntimeBroker.exe PID 1600 wrote to memory of 2204 1600 493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe SearchApp.exe PID 1600 wrote to memory of 3208 1600 493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe RuntimeBroker.exe PID 1600 wrote to memory of 3616 1600 493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe RuntimeBroker.exe PID 1600 wrote to memory of 3676 1600 493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe RuntimeBroker.exe PID 1600 wrote to memory of 3344 1600 493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe backgroundTaskHost.exe PID 1600 wrote to memory of 2104 1600 493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe BackgroundTransferHost.exe PID 2652 wrote to memory of 968 2652 DllHost.exe WerFault.exe PID 2652 wrote to memory of 968 2652 DllHost.exe WerFault.exe PID 3040 wrote to memory of 2828 3040 WerFault.exe StartMenuExperienceHost.exe PID 3040 wrote to memory of 2828 3040 WerFault.exe StartMenuExperienceHost.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3000
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:2104
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3344
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:3676
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3616
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3208
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2204
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2828
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2828 -s 25362⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4496
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2652 -s 3882⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵PID:2456
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵PID:2160
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Drops file in Program Files directory
PID:2140
-
C:\Users\Admin\AppData\Local\Temp\493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe"C:\Users\Admin\AppData\Local\Temp\493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe" /f3⤵
- Adds Run key to start application
PID:2196
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 404 -p 2828 -ip 28281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3040
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4332