Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
17s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
07/03/2021, 22:11
Static task
static1
Behavioral task
behavioral1
Sample
860e50.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
860e50.bin.exe
Resource
win10v20201028
General
-
Target
860e50.bin.exe
-
Size
196KB
-
MD5
484a2bcb1335ac97ee91194f4c0964bc
-
SHA1
ad11ed52ab33ad05eb9b1e9ade134ca1348acc81
-
SHA256
40b865d1c3ab1b8544bcf57c88edd30679870d40b27d62feb237a19f0c5f9cd1
-
SHA512
6e61612bd29425c5ab9b648fa83bc2d8616071247f8659aa316ab9d4adde0a9ceb9301737bb4216db223dfdd371106da75463f6d7e3a88e1c4cdd6c821f3935f
Malware Config
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 2008 daLYleD.exe -
Loads dropped DLL 2 IoCs
pid Process 1096 860e50.bin.exe 1096 860e50.bin.exe -
Modifies file permissions 1 TTPs 4 IoCs
pid Process 524 icacls.exe 960 icacls.exe 388 icacls.exe 648 icacls.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\daLYleD.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\860e50.bin.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10337_.GIF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR51B.GIF 860e50.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml 860e50.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\RyukReadMe.html 860e50.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml 860e50.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107342.WMF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185786.WMF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14529_.GIF 860e50.bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png 860e50.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\RyukReadMe.html 860e50.bin.exe File opened for modification C:\Program Files\Microsoft Office\RyukReadMe.html 860e50.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\RyukReadMe.html 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01848_.WMF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml 860e50.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107024.WMF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107452.WMF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01627_.WMF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html 860e50.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo 860e50.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\ActionsPane3.xsd 860e50.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\RyukReadMe.html 860e50.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02368_.WMF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02389_.WMF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02407_.WMF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZUSR12.ACCDU 860e50.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\vlc.mo 860e50.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_sun.png 860e50.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML 860e50.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\RyukReadMe.html 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03011U.BMP 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME20.CSS 860e50.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152558.WMF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR4B.GIF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART12.BDR 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CGMIMP32.HLP 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg 860e50.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\RyukReadMe.html 860e50.bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png 860e50.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\RyukReadMe.html 860e50.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\EXPEDITN.INF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0294989.WMF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00305_.WMF 860e50.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter.png 860e50.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\SETUP.XML 860e50.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\GreenBubbles.jpg 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00397_.WMF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01658_.WMF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0171847.WMF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSSKETSM.WMF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00200_.WMF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0230553.WMF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PAPER_01.MID 860e50.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\RyukReadMe.html 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00004_.GIF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FALL_01.MID 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107266.WMF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152606.WMF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196060.WMF 860e50.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP 860e50.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1056 vssadmin.exe 1964 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1096 860e50.bin.exe 1096 860e50.bin.exe 2008 daLYleD.exe 1096 860e50.bin.exe 1096 860e50.bin.exe 2008 daLYleD.exe 1096 860e50.bin.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1096 860e50.bin.exe Token: SeBackupPrivilege 2008 daLYleD.exe Token: SeBackupPrivilege 1096 860e50.bin.exe Token: SeBackupPrivilege 1424 vssvc.exe Token: SeRestorePrivilege 1424 vssvc.exe Token: SeAuditPrivilege 1424 vssvc.exe Token: SeIncreaseQuotaPrivilege 1916 WMIC.exe Token: SeSecurityPrivilege 1916 WMIC.exe Token: SeTakeOwnershipPrivilege 1916 WMIC.exe Token: SeLoadDriverPrivilege 1916 WMIC.exe Token: SeSystemProfilePrivilege 1916 WMIC.exe Token: SeSystemtimePrivilege 1916 WMIC.exe Token: SeProfSingleProcessPrivilege 1916 WMIC.exe Token: SeIncBasePriorityPrivilege 1916 WMIC.exe Token: SeCreatePagefilePrivilege 1916 WMIC.exe Token: SeBackupPrivilege 1916 WMIC.exe Token: SeRestorePrivilege 1916 WMIC.exe Token: SeShutdownPrivilege 1916 WMIC.exe Token: SeDebugPrivilege 1916 WMIC.exe Token: SeSystemEnvironmentPrivilege 1916 WMIC.exe Token: SeRemoteShutdownPrivilege 1916 WMIC.exe Token: SeUndockPrivilege 1916 WMIC.exe Token: SeManageVolumePrivilege 1916 WMIC.exe Token: 33 1916 WMIC.exe Token: 34 1916 WMIC.exe Token: 35 1916 WMIC.exe Token: SeIncreaseQuotaPrivilege 1916 WMIC.exe Token: SeSecurityPrivilege 1916 WMIC.exe Token: SeTakeOwnershipPrivilege 1916 WMIC.exe Token: SeLoadDriverPrivilege 1916 WMIC.exe Token: SeSystemProfilePrivilege 1916 WMIC.exe Token: SeSystemtimePrivilege 1916 WMIC.exe Token: SeProfSingleProcessPrivilege 1916 WMIC.exe Token: SeIncBasePriorityPrivilege 1916 WMIC.exe Token: SeCreatePagefilePrivilege 1916 WMIC.exe Token: SeBackupPrivilege 1916 WMIC.exe Token: SeRestorePrivilege 1916 WMIC.exe Token: SeShutdownPrivilege 1916 WMIC.exe Token: SeDebugPrivilege 1916 WMIC.exe Token: SeSystemEnvironmentPrivilege 1916 WMIC.exe Token: SeRemoteShutdownPrivilege 1916 WMIC.exe Token: SeUndockPrivilege 1916 WMIC.exe Token: SeManageVolumePrivilege 1916 WMIC.exe Token: 33 1916 WMIC.exe Token: 34 1916 WMIC.exe Token: 35 1916 WMIC.exe Token: SeIncreaseQuotaPrivilege 1752 WMIC.exe Token: SeSecurityPrivilege 1752 WMIC.exe Token: SeTakeOwnershipPrivilege 1752 WMIC.exe Token: SeLoadDriverPrivilege 1752 WMIC.exe Token: SeSystemProfilePrivilege 1752 WMIC.exe Token: SeSystemtimePrivilege 1752 WMIC.exe Token: SeProfSingleProcessPrivilege 1752 WMIC.exe Token: SeIncBasePriorityPrivilege 1752 WMIC.exe Token: SeCreatePagefilePrivilege 1752 WMIC.exe Token: SeBackupPrivilege 1752 WMIC.exe Token: SeRestorePrivilege 1752 WMIC.exe Token: SeShutdownPrivilege 1752 WMIC.exe Token: SeDebugPrivilege 1752 WMIC.exe Token: SeSystemEnvironmentPrivilege 1752 WMIC.exe Token: SeRemoteShutdownPrivilege 1752 WMIC.exe Token: SeUndockPrivilege 1752 WMIC.exe Token: SeManageVolumePrivilege 1752 WMIC.exe Token: 33 1752 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1096 wrote to memory of 2008 1096 860e50.bin.exe 26 PID 1096 wrote to memory of 2008 1096 860e50.bin.exe 26 PID 1096 wrote to memory of 2008 1096 860e50.bin.exe 26 PID 1096 wrote to memory of 2008 1096 860e50.bin.exe 26 PID 1096 wrote to memory of 1116 1096 860e50.bin.exe 15 PID 1096 wrote to memory of 2036 1096 860e50.bin.exe 27 PID 1096 wrote to memory of 2036 1096 860e50.bin.exe 27 PID 1096 wrote to memory of 2036 1096 860e50.bin.exe 27 PID 1096 wrote to memory of 2036 1096 860e50.bin.exe 27 PID 2036 wrote to memory of 1964 2036 net.exe 29 PID 2036 wrote to memory of 1964 2036 net.exe 29 PID 2036 wrote to memory of 1964 2036 net.exe 29 PID 2036 wrote to memory of 1964 2036 net.exe 29 PID 1096 wrote to memory of 524 1096 860e50.bin.exe 30 PID 1096 wrote to memory of 524 1096 860e50.bin.exe 30 PID 1096 wrote to memory of 524 1096 860e50.bin.exe 30 PID 1096 wrote to memory of 524 1096 860e50.bin.exe 30 PID 1096 wrote to memory of 1176 1096 860e50.bin.exe 14 PID 524 wrote to memory of 732 524 net.exe 32 PID 524 wrote to memory of 732 524 net.exe 32 PID 524 wrote to memory of 732 524 net.exe 32 PID 524 wrote to memory of 732 524 net.exe 32 PID 2008 wrote to memory of 388 2008 daLYleD.exe 36 PID 2008 wrote to memory of 388 2008 daLYleD.exe 36 PID 2008 wrote to memory of 388 2008 daLYleD.exe 36 PID 2008 wrote to memory of 388 2008 daLYleD.exe 36 PID 2008 wrote to memory of 648 2008 daLYleD.exe 37 PID 2008 wrote to memory of 648 2008 daLYleD.exe 37 PID 2008 wrote to memory of 648 2008 daLYleD.exe 37 PID 2008 wrote to memory of 648 2008 daLYleD.exe 37 PID 2008 wrote to memory of 1616 2008 daLYleD.exe 40 PID 2008 wrote to memory of 1616 2008 daLYleD.exe 40 PID 2008 wrote to memory of 1616 2008 daLYleD.exe 40 PID 2008 wrote to memory of 1616 2008 daLYleD.exe 40 PID 2008 wrote to memory of 1056 2008 daLYleD.exe 42 PID 2008 wrote to memory of 1056 2008 daLYleD.exe 42 PID 2008 wrote to memory of 1056 2008 daLYleD.exe 42 PID 2008 wrote to memory of 1056 2008 daLYleD.exe 42 PID 1616 wrote to memory of 1916 1616 cmd.exe 44 PID 1616 wrote to memory of 1916 1616 cmd.exe 44 PID 1616 wrote to memory of 1916 1616 cmd.exe 44 PID 1616 wrote to memory of 1916 1616 cmd.exe 44 PID 2008 wrote to memory of 1584 2008 daLYleD.exe 45 PID 2008 wrote to memory of 1584 2008 daLYleD.exe 45 PID 2008 wrote to memory of 1584 2008 daLYleD.exe 45 PID 2008 wrote to memory of 1584 2008 daLYleD.exe 45 PID 1584 wrote to memory of 1596 1584 net.exe 47 PID 1584 wrote to memory of 1596 1584 net.exe 47 PID 1584 wrote to memory of 1596 1584 net.exe 47 PID 1584 wrote to memory of 1596 1584 net.exe 47 PID 1096 wrote to memory of 524 1096 860e50.bin.exe 49 PID 1096 wrote to memory of 524 1096 860e50.bin.exe 49 PID 1096 wrote to memory of 524 1096 860e50.bin.exe 49 PID 1096 wrote to memory of 524 1096 860e50.bin.exe 49 PID 1096 wrote to memory of 960 1096 860e50.bin.exe 52 PID 1096 wrote to memory of 960 1096 860e50.bin.exe 52 PID 1096 wrote to memory of 960 1096 860e50.bin.exe 52 PID 1096 wrote to memory of 960 1096 860e50.bin.exe 52 PID 1096 wrote to memory of 1244 1096 860e50.bin.exe 54 PID 1096 wrote to memory of 1244 1096 860e50.bin.exe 54 PID 1096 wrote to memory of 1244 1096 860e50.bin.exe 54 PID 1096 wrote to memory of 1244 1096 860e50.bin.exe 54 PID 1096 wrote to memory of 1964 1096 860e50.bin.exe 55 PID 1096 wrote to memory of 1964 1096 860e50.bin.exe 55
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1176
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Users\Admin\AppData\Local\Temp\860e50.bin.exe"C:\Users\Admin\AppData\Local\Temp\860e50.bin.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\daLYleD.exe"C:\Users\Admin\AppData\Local\Temp\daLYleD.exe" 8 LAN2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
PID:388
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
PID:648
-
-
C:\Windows\SysWOW64\cmd.execmd /c "WMIC.exe shadowcopy delet"3⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC.exe shadowcopy delet4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1056
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y3⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y4⤵PID:1596
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\daLYleD.exe" /f /reg:643⤵PID:28076
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\daLYleD.exe" /f /reg:644⤵
- Adds Run key to start application
PID:28380
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y3⤵PID:37300
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y4⤵PID:37340
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y3⤵PID:65348
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y4⤵PID:65376
-
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:1964
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:732
-
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:524
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:960
-
-
C:\Windows\SysWOW64\cmd.execmd /c "WMIC.exe shadowcopy delet"2⤵PID:1244
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC.exe shadowcopy delet3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1964
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\860e50.bin.exe" /f /reg:642⤵PID:1052
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\860e50.bin.exe" /f /reg:643⤵
- Adds Run key to start application
PID:2088
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:2028
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:2128
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:34800
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:34924
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:37440
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:37540
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:54708
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:55312
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:67084
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:68596
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1424