Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2022 06:22
Static task
static1
Behavioral task
behavioral1
Sample
test.jse
Resource
win7-20220812-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
test.jse
Resource
win10v2004-20220901-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
test.jse
-
Size
192KB
-
MD5
b40966619d66f80774ebf817c3316acc
-
SHA1
cdc90f17b5a54005993a4db61ac60e0b905f8416
-
SHA256
5472bce876d0758fb1379260504b791a3b8c95b87fc365f5ce8c3a6424facd34
-
SHA512
a489b19a01b66807e3cc5af17abdc679e72d34139b47f5face96ac68cf183f5d790d24adb065db9327dd82cde24532c3e193a716a5212df310f90eb7e241b88e
-
SSDEEP
6144:9a6398SbpjPvtKLqAMFHEbbz5ek3/Auyn5Ia:xnvkwdizUk3/Auynqa
Score
10/10
Malware Config
Signatures
-
Detect magniber ransomware 3 IoCs
resource yara_rule behavioral2/memory/4532-134-0x000001C64A450000-0x000001C64B450000-memory.dmp family_magniber behavioral2/memory/2256-135-0x00000250DB140000-0x00000250DB14B000-memory.dmp family_magniber behavioral2/memory/4532-147-0x000001C64A450000-0x000001C64B450000-memory.dmp family_magniber -
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4344 1288 bcdedit.exe 55 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4776 1288 bcdedit.exe 55 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3796 1288 wbadmin.exe 55 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 1288 wbadmin.exe 55 -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4344 bcdedit.exe 4776 bcdedit.exe -
pid Process 3796 wbadmin.exe -
pid Process 1240 wbadmin.exe -
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\ReadMerge.tiff sihost.exe File renamed C:\Users\Admin\Pictures\ReadMerge.tiff => C:\Users\Admin\Pictures\ReadMerge.tiff.fhbrfuj sihost.exe File renamed C:\Users\Admin\Pictures\RedoGet.png => C:\Users\Admin\Pictures\RedoGet.png.fhbrfuj sihost.exe File renamed C:\Users\Admin\Pictures\BlockSet.crw => C:\Users\Admin\Pictures\BlockSet.crw.fhbrfuj sihost.exe File renamed C:\Users\Admin\Pictures\UseUnlock.raw => C:\Users\Admin\Pictures\UseUnlock.raw.fhbrfuj sihost.exe File renamed C:\Users\Admin\Pictures\WaitGrant.raw => C:\Users\Admin\Pictures\WaitGrant.raw.fhbrfuj sihost.exe File opened for modification C:\Users\Admin\Pictures\FormatSet.tiff sihost.exe File renamed C:\Users\Admin\Pictures\FormatSet.tiff => C:\Users\Admin\Pictures\FormatSet.tiff.fhbrfuj sihost.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2992 3208 WerFault.exe 43 -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5062f3c1-cde0-4b9b- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\29900c2e-6d85-46e2- = "\\\\?\\Volume{2339E045-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7d59f35385df7b4c5e665d5711a6e5600adbba38c7b38a42b5ea92a3dcc59e32" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e25e6778-15cd-4a94- = "0" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute sihost.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b992404-4dfd-4017- = 75e2ef95cbc8d801 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\29900c2e-6d85-46e2- = 45e73c96cbc8d801 RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\29900c2e-6d85-46e2- = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\475d7a8d-cf97-4291- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e25e6778-15cd-4a94- = 17708f97cbc8d801 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a071fbe-51fa-4c70- = "\\\\?\\Volume{2339E045-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\9531ac91de1830441f396b99b4941050b542e9771d1dcab1c8465ca7e57205d0" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\CurVer svchost.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\CurVer sihost.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\365a150b-e0e9-48be- = "8324" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7c430a91-5cca-49a7- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000a9b97e96cbc8d8011d0bcb96cbc8d8011d0bcb96cbc8d801cf900b000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000002f55db322000663434313836343230353237626662643664616636653830396663363336393035333539313830373762323732333235616633636166643334326662333434390000b20009000400efbe2f55db322f55db322e00000000000000000000000000000000000000000000000000380bb300660034003400310038003600340032003000350032003700620066006200640036006400610066003600650038003000390066006300360033003600390030003500330035003900310038003000370037006200320037003200330032003500610066003300630061006600640033003400320066006200330034003400390000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000d1408d901000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66343431383634323035323762666264366461663665383039666336333639303533353931383037376232373233323561663363616664333432666233343439000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f25e9b980aea29ed11a0ee62142853ba2580c72b02b50e1340bd556b93270e57f25e9b980aea29ed11a0ee62142853ba25ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a071fbe-51fa-4c70- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e25e6778-15cd-4a94- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\CurVer RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\CurVer svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f7b5a8cf-27c3-440a- = "\\\\?\\Volume{2339E045-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\67af1b500f21d2d929173c1ae80c77e532dfbecf8d627e79aeacec4d1f99693d" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4879e868-39da-4f97- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6" taskhostw.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b992404-4dfd-4017- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\475d7a8d-cf97-4291- = f4572b96cbc8d801 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f7b5a8cf-27c3-440a- = 6b757297cbc8d801 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/dzjzyk.wmv" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a071fbe-51fa-4c70- RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7c430a91-5cca-49a7- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e25e6778-15cd-4a94- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\29900c2e-6d85-46e2- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000df723296cbc8d801df723296cbc8d801df723296cbc8d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000002f55db322000376435396633353338356466376234633565363635643537313161366535363030616462626133386337623338613432623565613932613364636335396533320000b20009000400efbe2f55db322f55db322e0000000000000000000000000000000000000000000000000021c08500370064003500390066003300350033003800350064006600370062003400630035006500360036003500640035003700310031006100360065003500360030003000610064006200620061003300380063003700620033003800610034003200620035006500610039003200610033006400630063003500390065003300320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000d1408d901000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37643539663335333835646637623463356536363564353731316136653536303061646262613338633762333861343262356561393261336463633539653332000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f25c9b980aea29ed11a0ee62142853ba2580c72b02b50e1340bd556b93270e57f25c9b980aea29ed11a0ee62142853ba25ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b381b140-40cc-43f5- = 4e955597cbc8d801 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f7b5a8cf-27c3-440a- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9e87b415-a0e6-4b74- = "0" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a071fbe-51fa-4c70- = 84c2d595cbc8d801 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\29900c2e-6d85-46e2- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/yeygbkwbctma.wmv" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f7b5a8cf-27c3-440a- = "8324" RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\475d7a8d-cf97-4291- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\475d7a8d-cf97-4291- = "0" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f7b5a8cf-27c3-440a- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f7b5a8cf-27c3-440a- = "0" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9e87b415-a0e6-4b74- = "8324" RuntimeBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b992404-4dfd-4017- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\475d7a8d-cf97-4291- RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f7b5a8cf-27c3-440a- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f7b5a8cf-27c3-440a- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000071a9a996cbc8d80121f1d696cbc8d80121f1d696cbc8d801f90407000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000002f55db322000363761663162353030663231643264393239313733633161653830633737653533326466626563663864363237653739616561636563346431663939363933640000b20009000400efbe2f55db322f55db322e000000000000000000000000000000000000000000000000005080c800360037006100660031006200350030003000660032003100640032006400390032003900310037003300630031006100650038003000630037003700650035003300320064006600620065006300660038006400360032003700650037003900610065006100630065006300340064003100660039003900360039003300640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000d1408d901000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36376166316235303066323164326439323931373363316165383063373765353332646662656366386436323765373961656163656334643166393936393364000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f2609b980aea29ed11a0ee62142853ba2580c72b02b50e1340bd556b93270e57f2609b980aea29ed11a0ee62142853ba25ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e25e6778-15cd-4a94- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000025ab6b96cbc8d8015cdfc396cbc8d8015cdfc396cbc8d8019b770a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000002f55db322000393533316163393164653138333034343166333936623939623439343130353062353432653937373164316463616231633834363563613765353732303564300000b20009000400efbe2f55db322f55db322e00000000000000000000000000000000000000000000000000ad07f100390035003300310061006300390031006400650031003800330030003400340031006600330039003600620039003900620034003900340031003000350030006200350034003200650039003700370031006400310064006300610062003100630038003400360035006300610037006500350037003200300035006400300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000d1408d901000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39353331616339316465313833303434316633393662393962343934313035306235343265393737316431646361623163383436356361376535373230356430000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000069796d756779686c000000000000000080c72b02b50e1340bd556b93270e57f2619b980aea29ed11a0ee62142853ba2580c72b02b50e1340bd556b93270e57f2619b980aea29ed11a0ee62142853ba25ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003900320039003600360032003400320030002d0031003000350034003200330038003200380039002d0032003900360031003100390034003600300033002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000045e03923000000000000d01200000000000000000000000000000000 RuntimeBroker.exe Key deleted \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5062f3c1-cde0-4b9b- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a071fbe-51fa-4c70- = "8324" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\365a150b-e0e9-48be- RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7c430a91-5cca-49a7- = 03282997cbc8d801 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4879e868-39da-4f97- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7c430a91-5cca-49a7- = "0" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b381b140-40cc-43f5- RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b381b140-40cc-43f5- = "0" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/jbtcauaqtg.wmv" taskhostw.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4532 WScript.exe 4532 WScript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3004 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 54 IoCs
description pid Process Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3360 RuntimeBroker.exe Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3360 RuntimeBroker.exe Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3360 RuntimeBroker.exe Token: SeShutdownPrivilege 3360 RuntimeBroker.exe Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeBackupPrivilege 3544 vssvc.exe Token: SeRestorePrivilege 3544 vssvc.exe Token: SeAuditPrivilege 3544 vssvc.exe Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeBackupPrivilege 756 wbengine.exe Token: SeRestorePrivilege 756 wbengine.exe Token: SeSecurityPrivilege 756 wbengine.exe Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4532 wrote to memory of 2256 4532 WScript.exe 21 PID 4532 wrote to memory of 2268 4532 WScript.exe 80 PID 4532 wrote to memory of 2376 4532 WScript.exe 79 PID 4532 wrote to memory of 3004 4532 WScript.exe 45 PID 4532 wrote to memory of 684 4532 WScript.exe 44 PID 4532 wrote to memory of 3208 4532 WScript.exe 43 PID 4532 wrote to memory of 3300 4532 WScript.exe 42 PID 4532 wrote to memory of 3360 4532 WScript.exe 41 PID 4532 wrote to memory of 3456 4532 WScript.exe 76 PID 4532 wrote to memory of 3692 4532 WScript.exe 75 PID 4532 wrote to memory of 4960 4532 WScript.exe 72 PID 4532 wrote to memory of 4620 4532 WScript.exe 59 PID 4532 wrote to memory of 2428 4532 WScript.exe 85 PID 2432 wrote to memory of 4812 2432 cmd.exe 108 PID 2432 wrote to memory of 4812 2432 cmd.exe 108 PID 4812 wrote to memory of 4752 4812 fodhelper.exe 109 PID 4812 wrote to memory of 4752 4812 fodhelper.exe 109 PID 4048 wrote to memory of 1972 4048 cmd.exe 112 PID 4048 wrote to memory of 1972 4048 cmd.exe 112 PID 1972 wrote to memory of 1020 1972 fodhelper.exe 113 PID 1972 wrote to memory of 1020 1972 fodhelper.exe 113 PID 956 wrote to memory of 3748 956 cmd.exe 130 PID 956 wrote to memory of 3748 956 cmd.exe 130 PID 3748 wrote to memory of 2312 3748 fodhelper.exe 131 PID 3748 wrote to memory of 2312 3748 fodhelper.exe 131
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Modifies extensions of user files
- Modifies registry class
PID:2256
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3360
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3300
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3208
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3208 -s 8722⤵
- Program crash
PID:2992
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
- Modifies registry class
PID:684
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3004 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\test.jse"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4532
-
-
C:\Windows\System32\cmd.exe/c fodhelper.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\System32\fodhelper.exefodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\system32\wscript.exe"wscript.exe" /B /E:VBScript.Encode ../../Users/Public/dzjzyk.wmv4⤵PID:4752
-
-
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4620
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:4960
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:3692
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3456
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
- Modifies registry class
PID:2376
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
- Modifies registry class
PID:2268 -
C:\Windows\System32\cmd.exe/c fodhelper.exe2⤵
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\System32\fodhelper.exefodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\system32\wscript.exe"wscript.exe" /B /E:VBScript.Encode ../../Users/Public/jbtcauaqtg.wmv4⤵PID:2312
-
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:2428 -
C:\Windows\System32\cmd.exe/c fodhelper.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\System32\fodhelper.exefodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\system32\wscript.exe"wscript.exe" /B /E:VBScript.Encode ../../Users/Public/dzjzyk.wmv4⤵PID:1020
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 448 -p 3208 -ip 32081⤵PID:3392
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4344
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4776
-
C:\Windows\system32\wbadmin.exewbadmin delete systemstatebackup -quiet1⤵
- Process spawned unexpected child process
- Deletes System State backups
- Drops file in Windows directory
PID:3796
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:1240
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:756
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4828
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4152
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
868B
MD5581973cdfb4720018293584fa82b6973
SHA1a280dec72dff08d9448d866e6e3011241c5794bc
SHA2561972fe56babf7575426b0690a118c342ef8cff2e463b16a8cf3071c3229d510b
SHA5126e115f41e19dc2e90d8800fb3089f4b83d048c41c25e994b8c23c409bb30eede25bf208d61315574253002a287abef3dd876c9673d6ff928a70f46608ab8fd80