ryuk | 2d3b8208e42e72b356add50649a91ffab352498a0cfe4a4c4828e6a331e63a6d

Analysis

max time kernel
1800s
max time network
1567s
platform
windows7_x64
resource
win7-en-20210920
submitted
27-10-2021 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'TLS7ST8vlU'; $torlink = 'http://htv4omqldafxwhum7ya3m37o3zcbo2d7kidcpgvp6lky62gi6czx6iqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://htv4omqldafxwhum7ya3m37o3zcbo2d7kidcpgvp6lky62gi6czx6iqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
792	mvUGHSRogrep.exe
1652	afWgJXVPJlan.exe
684	skpNXAATolan.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\CheckpointResolve.tiff.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteTrace.tiff.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitCopy.crw.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\WatchClose.raw.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\MoveAdd.raw.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ConnectClose.png.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\AddDeny.tiff.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\PingApprove.crw.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveNew.tif.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectReset.tiff.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Loads dropped DLL 6 IoCs

pid	Process
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
848	icacls.exe
1060	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Thimphu	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Funafuti	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REMOTEL.ICO	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\TAB_OFF.GIF	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187839.WMF.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Perth	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Bahia_Banderas	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00525_.WMF	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Tegucigalpa.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\LightSpirit.css.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSORES.DLL	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00932_.WMF.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_F_COL.HXK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SWBELL.NET.XML	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\logging.properties.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01219_.GIF.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0150861.WMF.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\jsprofilerui.dll.mui	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Juneau	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Syowa	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_ja.jar.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198016.WMF.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZLIB.ACCDE.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS53BOXS.POC.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR15F.GIF.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200377.WMF	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\BG_ADOBE.GIF	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SketchPadTestSchema.xml.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\TAB_ON.GIF	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABON.JPG	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00095_.WMF.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14883_.GIF.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\SLATE.ELM.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_en.dub.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299611.WMF	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02431_.WMF.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105376.WMF	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
533272	SCHTASKS.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1308	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	taskmgr.exe
Token: 33	1724	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1724	AUDIODG.EXE
Token: 33	1724	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1724	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 792	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	28
PID 1876 wrote to memory of 792	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	28
PID 1876 wrote to memory of 792	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	28
PID 1876 wrote to memory of 792	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	28
PID 1876 wrote to memory of 1652	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	29
PID 1876 wrote to memory of 1652	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	29
PID 1876 wrote to memory of 1652	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	29
PID 1876 wrote to memory of 1652	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	29
PID 1876 wrote to memory of 684	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	30
PID 1876 wrote to memory of 684	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	30
PID 1876 wrote to memory of 684	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	30
PID 1876 wrote to memory of 684	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	30
PID 1876 wrote to memory of 1060	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	38
PID 1876 wrote to memory of 1060	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	38
PID 1876 wrote to memory of 1060	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	38
PID 1876 wrote to memory of 1060	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	38
PID 1876 wrote to memory of 848	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	47
PID 1876 wrote to memory of 848	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	47
PID 1876 wrote to memory of 848	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	47
PID 1876 wrote to memory of 848	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	47
PID 1876 wrote to memory of 3036	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	39
PID 1876 wrote to memory of 3036	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	39
PID 1876 wrote to memory of 3036	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	39
PID 1876 wrote to memory of 3036	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	39
PID 1876 wrote to memory of 3064	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	41
PID 1876 wrote to memory of 3064	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	41
PID 1876 wrote to memory of 3064	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	41
PID 1876 wrote to memory of 3064	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	41
PID 3036 wrote to memory of 1320	3036	net.exe	42
PID 3036 wrote to memory of 1320	3036	net.exe	42
PID 3036 wrote to memory of 1320	3036	net.exe	42
PID 3036 wrote to memory of 1320	3036	net.exe	42
PID 1876 wrote to memory of 984	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	43
PID 1876 wrote to memory of 984	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	43
PID 1876 wrote to memory of 984	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	43
PID 1876 wrote to memory of 984	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	43
PID 1876 wrote to memory of 2068	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	45
PID 1876 wrote to memory of 2068	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	45
PID 1876 wrote to memory of 2068	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	45
PID 1876 wrote to memory of 2068	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	45
PID 3064 wrote to memory of 2080	3064	net.exe	44
PID 3064 wrote to memory of 2080	3064	net.exe	44
PID 3064 wrote to memory of 2080	3064	net.exe	44
PID 3064 wrote to memory of 2080	3064	net.exe	44
PID 984 wrote to memory of 1456	984	net.exe	48
PID 984 wrote to memory of 1456	984	net.exe	48
PID 984 wrote to memory of 1456	984	net.exe	48
PID 984 wrote to memory of 1456	984	net.exe	48
PID 2068 wrote to memory of 848	2068	net.exe	47
PID 2068 wrote to memory of 848	2068	net.exe	47
PID 2068 wrote to memory of 848	2068	net.exe	47
PID 2068 wrote to memory of 848	2068	net.exe	47
PID 1876 wrote to memory of 30660	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	53
PID 1876 wrote to memory of 30660	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	53
PID 1876 wrote to memory of 30660	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	53
PID 1876 wrote to memory of 30660	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	53
PID 30660 wrote to memory of 30688	30660	net.exe	55
PID 30660 wrote to memory of 30688	30660	net.exe	55
PID 30660 wrote to memory of 30688	30660	net.exe	55
PID 30660 wrote to memory of 30688	30660	net.exe	55
PID 1876 wrote to memory of 30708	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	56
PID 1876 wrote to memory of 30708	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	56
PID 1876 wrote to memory of 30708	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	56
PID 1876 wrote to memory of 30708	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	56

C:\Users\Admin\AppData\Local\Temp\781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\Temp\mvUGHSRogrep.exe
  "C:\Users\Admin\AppData\Local\Temp\mvUGHSRogrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Users\Admin\AppData\Local\Temp\afWgJXVPJlan.exe
  "C:\Users\Admin\AppData\Local\Temp\afWgJXVPJlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Users\Admin\AppData\Local\Temp\skpNXAATolan.exe
  "C:\Users\Admin\AppData\Local\Temp\skpNXAATolan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:848
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1060
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1320
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2080
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1456
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:848
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:30660
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:30688
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:30708
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:29896
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:246324
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:246492
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:248716
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:250288
- C:\Windows\SysWOW64\SCHTASKS.exe
  SCHTASKS /CREATE /NP /SC DAILY /TN "PrintSu" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\WCfIU.dll" /ST 10:25 /SD 10/28/2021 /ED 11/04/2021
  2⤵
  - Creates scheduled task(s)
  PID:533272
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:557480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:561612
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:557488
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:561604
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:993624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:993668
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:993656
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:993700
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.39616e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.396188e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.400272e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.4003e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.779984e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.784116e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.788204e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.788232e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2.014088e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2.014116e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2.018192e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2.01822e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2.042868e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.858024e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.960704e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.816944e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2.063344e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2.063376e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2.063396e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2.063424e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2.248228e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2.24826e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2.252348e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2.252376e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2.60154e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2.601568e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2.60976e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2.609788e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2.958952e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2.95898e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2.967168e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2.967196e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:3.094508e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3.094532e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:3.094552e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3.094576e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:3.094616e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3.09464e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:3.094656e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3.09468e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:3.18486e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3.184884e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:3.1849e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3.184924e+06

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:304

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1308

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x44c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/304-67-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp

Filesize
8KB

Download
memory/1876-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download