Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
0323b4326b...02.exe
windows7_x64
100323b4326b...02.exe
windows10_x64
100898a80dc2...92.exe
windows7_x64
100898a80dc2...92.exe
windows10_x64
100aaecf7f77...91.exe
windows7_x64
100aaecf7f77...91.exe
windows10_x64
1016af8d85ef...38.exe
windows7_x64
816af8d85ef...38.exe
windows10_x64
4180f82bbed...43.exe
windows7_x64
10180f82bbed...43.exe
windows10_x64
1023e95ba676...7f.exe
windows7_x64
1023e95ba676...7f.exe
windows10_x64
103a6ebac4f8...ca.exe
windows7_x64
103a6ebac4f8...ca.exe
windows10_x64
1041367ad447...00.exe
windows7_x64
1041367ad447...00.exe
windows10_x64
10Analysis
-
max time kernel
148s -
max time network
103s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
29/03/2021, 12:47
Static task
static1
Behavioral task
behavioral1
Sample
0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe
Resource
win7v20201028
Behavioral task
behavioral8
Sample
16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
Resource
win7v20201028
Behavioral task
behavioral10
Sample
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
Resource
win7v20201028
Behavioral task
behavioral12
Sample
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
Resource
win7v20201028
Behavioral task
behavioral14
Sample
3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
Resource
win7v20201028
Behavioral task
behavioral16
Sample
41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
Resource
win10v20201028
General
-
Target
0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
-
Size
208KB
-
MD5
aa5abadf25aa3f30c1c83c5d43a7ee8f
-
SHA1
ff50650068de776d2c0a8962cbccd7ffc431327a
-
SHA256
0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702
-
SHA512
033139017097fc0b5f296f9a861ee0ebc2faacb0a9ce172898a5765906010cce4bb30d7436afaeafe131b25ff2c51362825e25c60b2ab9d858672a555b28d7fb
Malware Config
Extracted
C:\users\Public\RyukReadMe.html
ryuk
http://ylohxrulsdb4ex6hmartra3g63khdb4ku7qkh4qcal2n3nm33vokiiyd.onion
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 3 IoCs
pid Process 896 raydyJUMDrep.exe 292 VYLkLJOSclan.exe 1060 YQuCWMDhplan.exe -
Loads dropped DLL 6 IoCs
pid Process 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 2668 icacls.exe 2656 icacls.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\RyukReadMe.html 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-ui.jar 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jre7\lib\security\cacerts 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\VideoLAN\VLC\New_Skins.url 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\RyukReadMe.html 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_de.properties 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Bissau 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\DVD Maker\rtstreamsink.ax 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\RyukReadMe.html 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\RyukReadMe.html 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Rarotonga 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+6 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\RyukReadMe.html 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Winnipeg 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Wake 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.json 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ashgabat 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Bougainville 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-views.jar 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_zh_CN.jar 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jre7\release 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\vlc.mo 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RyukReadMe.html 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 776 wrote to memory of 896 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 29 PID 776 wrote to memory of 896 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 29 PID 776 wrote to memory of 896 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 29 PID 776 wrote to memory of 896 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 29 PID 776 wrote to memory of 292 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 30 PID 776 wrote to memory of 292 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 30 PID 776 wrote to memory of 292 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 30 PID 776 wrote to memory of 292 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 30 PID 776 wrote to memory of 1060 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 31 PID 776 wrote to memory of 1060 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 31 PID 776 wrote to memory of 1060 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 31 PID 776 wrote to memory of 1060 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 31 PID 776 wrote to memory of 2656 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 32 PID 776 wrote to memory of 2656 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 32 PID 776 wrote to memory of 2656 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 32 PID 776 wrote to memory of 2656 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 32 PID 776 wrote to memory of 2668 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 33 PID 776 wrote to memory of 2668 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 33 PID 776 wrote to memory of 2668 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 33 PID 776 wrote to memory of 2668 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 33 PID 776 wrote to memory of 2724 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 37 PID 776 wrote to memory of 2724 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 37 PID 776 wrote to memory of 2724 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 37 PID 776 wrote to memory of 2724 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 37 PID 2724 wrote to memory of 3444 2724 net.exe 39 PID 2724 wrote to memory of 3444 2724 net.exe 39 PID 2724 wrote to memory of 3444 2724 net.exe 39 PID 2724 wrote to memory of 3444 2724 net.exe 39 PID 776 wrote to memory of 3780 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 40 PID 776 wrote to memory of 3780 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 40 PID 776 wrote to memory of 3780 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 40 PID 776 wrote to memory of 3780 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 40 PID 3780 wrote to memory of 1508 3780 net.exe 42 PID 3780 wrote to memory of 1508 3780 net.exe 42 PID 3780 wrote to memory of 1508 3780 net.exe 42 PID 3780 wrote to memory of 1508 3780 net.exe 42 PID 776 wrote to memory of 3404 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 44 PID 776 wrote to memory of 3404 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 44 PID 776 wrote to memory of 3404 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 44 PID 776 wrote to memory of 3404 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 44 PID 3404 wrote to memory of 3144 3404 net.exe 45 PID 3404 wrote to memory of 3144 3404 net.exe 45 PID 3404 wrote to memory of 3144 3404 net.exe 45 PID 3404 wrote to memory of 3144 3404 net.exe 45 PID 776 wrote to memory of 3460 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 47 PID 776 wrote to memory of 3460 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 47 PID 776 wrote to memory of 3460 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 47 PID 776 wrote to memory of 3460 776 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 47 PID 3460 wrote to memory of 3940 3460 net.exe 48 PID 3460 wrote to memory of 3940 3460 net.exe 48 PID 3460 wrote to memory of 3940 3460 net.exe 48 PID 3460 wrote to memory of 3940 3460 net.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe"C:\Users\Admin\AppData\Local\Temp\0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Users\Admin\AppData\Local\Temp\raydyJUMDrep.exe"C:\Users\Admin\AppData\Local\Temp\raydyJUMDrep.exe" 9 REP2⤵
- Executes dropped EXE
PID:896
-
-
C:\Users\Admin\AppData\Local\Temp\VYLkLJOSclan.exe"C:\Users\Admin\AppData\Local\Temp\VYLkLJOSclan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:292
-
-
C:\Users\Admin\AppData\Local\Temp\YQuCWMDhplan.exe"C:\Users\Admin\AppData\Local\Temp\YQuCWMDhplan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:1060
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:2656
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:2668
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:3444
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:1508
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:3144
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:3940
-
-