Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
0323b4326b...02.exe
windows7_x64
100323b4326b...02.exe
windows10_x64
100898a80dc2...92.exe
windows7_x64
100898a80dc2...92.exe
windows10_x64
100aaecf7f77...91.exe
windows7_x64
100aaecf7f77...91.exe
windows10_x64
1016af8d85ef...38.exe
windows7_x64
816af8d85ef...38.exe
windows10_x64
4180f82bbed...43.exe
windows7_x64
10180f82bbed...43.exe
windows10_x64
1023e95ba676...7f.exe
windows7_x64
1023e95ba676...7f.exe
windows10_x64
103a6ebac4f8...ca.exe
windows7_x64
103a6ebac4f8...ca.exe
windows10_x64
1041367ad447...00.exe
windows7_x64
1041367ad447...00.exe
windows10_x64
10Analysis
-
max time kernel
126s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
29/03/2021, 12:47
Static task
static1
Behavioral task
behavioral1
Sample
0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe
Resource
win7v20201028
Behavioral task
behavioral8
Sample
16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
Resource
win7v20201028
Behavioral task
behavioral10
Sample
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
Resource
win7v20201028
Behavioral task
behavioral12
Sample
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
Resource
win7v20201028
Behavioral task
behavioral14
Sample
3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
Resource
win7v20201028
Behavioral task
behavioral16
Sample
41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
Resource
win10v20201028
General
-
Target
0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
-
Size
208KB
-
MD5
aa5abadf25aa3f30c1c83c5d43a7ee8f
-
SHA1
ff50650068de776d2c0a8962cbccd7ffc431327a
-
SHA256
0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702
-
SHA512
033139017097fc0b5f296f9a861ee0ebc2faacb0a9ce172898a5765906010cce4bb30d7436afaeafe131b25ff2c51362825e25c60b2ab9d858672a555b28d7fb
Malware Config
Extracted
C:\users\Public\RyukReadMe.html
ryuk
http://ylohxrulsdb4ex6hmartra3g63khdb4ku7qkh4qcal2n3nm33vokiiyd.onion
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 3 IoCs
pid Process 3548 RegMmSkEKrep.exe 2556 rChahhASZlan.exe 3860 esnhJBQuelan.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 4484 icacls.exe 4496 icacls.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\RyukReadMe.html 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\RyukReadMe.html 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Bears.htm 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ul-oob.xrm-ms 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforsignature.svg 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\RyukReadMe.html 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\RyukReadMe.html 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\ui-strings.js 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\COPYRIGHT 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast.png 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\RyukReadMe.html 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\ui-strings.js 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\ui-strings.js 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CHART.DLL 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\jce.jar 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-pl.xrm-ms 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\ui-strings.js 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\RyukReadMe.html 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\RyukReadMe.html 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_zh_cn_135x40.svg 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\STSLIST.DLL 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\ui-strings.js 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\RyukReadMe.html 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-tw\RyukReadMe.html 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\vlc.mo 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ja-jp\ui-strings.js 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\lpc.win32.bundle 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PAPYRUS.ELM 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\RyukReadMe.html 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_cs.jar 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_it.jar 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\RyukReadMe.html 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEES.DLL 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_duplicate_18.svg 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\ui-strings.js 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\vlc.mo 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nextarrow_default.svg 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_18.svg 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\digsig_icons.png 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\RyukReadMe.html 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\RyukReadMe.html 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\ui-strings.js 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hu-hu\ui-strings.js 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 648 wrote to memory of 3548 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 78 PID 648 wrote to memory of 3548 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 78 PID 648 wrote to memory of 3548 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 78 PID 648 wrote to memory of 2556 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 79 PID 648 wrote to memory of 2556 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 79 PID 648 wrote to memory of 2556 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 79 PID 648 wrote to memory of 3860 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 80 PID 648 wrote to memory of 3860 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 80 PID 648 wrote to memory of 3860 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 80 PID 648 wrote to memory of 4484 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 81 PID 648 wrote to memory of 4484 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 81 PID 648 wrote to memory of 4484 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 81 PID 648 wrote to memory of 4496 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 83 PID 648 wrote to memory of 4496 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 83 PID 648 wrote to memory of 4496 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 83 PID 648 wrote to memory of 5080 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 85 PID 648 wrote to memory of 5080 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 85 PID 648 wrote to memory of 5080 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 85 PID 648 wrote to memory of 2336 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 88 PID 648 wrote to memory of 2336 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 88 PID 648 wrote to memory of 2336 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 88 PID 648 wrote to memory of 4788 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 87 PID 648 wrote to memory of 4788 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 87 PID 648 wrote to memory of 4788 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 87 PID 648 wrote to memory of 4944 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 91 PID 648 wrote to memory of 4944 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 91 PID 648 wrote to memory of 4944 648 0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe 91 PID 2336 wrote to memory of 5096 2336 net.exe 96 PID 2336 wrote to memory of 5096 2336 net.exe 96 PID 2336 wrote to memory of 5096 2336 net.exe 96 PID 4788 wrote to memory of 4588 4788 net.exe 95 PID 4788 wrote to memory of 4588 4788 net.exe 95 PID 4788 wrote to memory of 4588 4788 net.exe 95 PID 5080 wrote to memory of 4456 5080 net.exe 94 PID 5080 wrote to memory of 4456 5080 net.exe 94 PID 5080 wrote to memory of 4456 5080 net.exe 94 PID 4944 wrote to memory of 4864 4944 net.exe 93 PID 4944 wrote to memory of 4864 4944 net.exe 93 PID 4944 wrote to memory of 4864 4944 net.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe"C:\Users\Admin\AppData\Local\Temp\0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Users\Admin\AppData\Local\Temp\RegMmSkEKrep.exe"C:\Users\Admin\AppData\Local\Temp\RegMmSkEKrep.exe" 9 REP2⤵
- Executes dropped EXE
PID:3548
-
-
C:\Users\Admin\AppData\Local\Temp\rChahhASZlan.exe"C:\Users\Admin\AppData\Local\Temp\rChahhASZlan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:2556
-
-
C:\Users\Admin\AppData\Local\Temp\esnhJBQuelan.exe"C:\Users\Admin\AppData\Local\Temp\esnhJBQuelan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:3860
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4484
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4496
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:4456
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:4588
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:5096
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:4864
-
-