Analysis
-
max time kernel
1801s -
max time network
1576s -
platform
windows11_x64 -
resource
win11 -
submitted
27-10-2021 08:52
Static task
static1
Behavioral task
behavioral1
Sample
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
Resource
win11
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\RyukReadMe.html
Family
ryuk
Ransom Note
contact
balance of shadow universe
Ryuk
$password = 'TLS7ST8vlU'; $torlink = 'http://htv4omqldafxwhum7ya3m37o3zcbo2d7kidcpgvp6lky62gi6czx6iqd.onion';
function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs
http://htv4omqldafxwhum7ya3m37o3zcbo2d7kidcpgvp6lky62gi6czx6iqd.onion
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 3 IoCs
pid Process 4800 XHAzJeogsrep.exe 2908 ALTvQGCUzlan.exe 3784 vUbFAtJIxlan.exe -
Sets service image path in registry 2 TTPs
-
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 1580 icacls.exe 2276 icacls.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\Locales\ja.pak.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\ResiliencyLinks\Locales\km.pak.DATA.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\MLModels\nexturl.ort.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\ResiliencyLinks\Locales\kk.pak.DATA.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\RyukReadMe.html 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\PREVIEW.GIF 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\EVRGREEN.ELM 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\ResiliencyLinks\Locales\ca.pak.DATA 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\Locales\bg.pak.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\ResiliencyLinks\Locales\kok.pak.DATA.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\ResiliencyLinks\Locales\mt.pak.DATA 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\PREVIEW.GIF.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ppd.xrm-ms 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\RyukReadMe.html 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-phn.xrm-ms.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\sdxs.xml.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL077.XML.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ppd.xrm-ms 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OSFPROXY.DLL 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-phn.xrm-ms 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSPCL.TTF.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\92.0.902.62\WidevineCdm\_platform_specific\win_x64\RyukReadMe.html 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\Trust Protection Lists\Sigma\Advertising 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\92.0.902.62\Locales\km.pak 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\JPEGIM32.FLT.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\ResiliencyLinks\Locales\tr.pak.DATA.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN001.XML.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\THMBNAIL.PNG.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\ResiliencyLinks\Locales\sr.pak.DATA.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\Locales\lo.pak.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\Locales\pt-BR.pak 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\Locales\ml.pak 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-ms 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSLID.DLL 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL090.XML 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\92.0.902.62\Locales\lb.pak 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-phn.xrm-ms.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.POWERPNT.16.1033.hxn.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_k_col.hxk 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.RYK 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4056 SCHTASKS.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root svchost.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeShutdownPrivilege 648 svchost.exe Token: SeCreatePagefilePrivilege 648 svchost.exe Token: SeShutdownPrivilege 648 svchost.exe Token: SeCreatePagefilePrivilege 648 svchost.exe Token: SeShutdownPrivilege 648 svchost.exe Token: SeCreatePagefilePrivilege 648 svchost.exe Token: SeShutdownPrivilege 2016 svchost.exe Token: SeCreatePagefilePrivilege 2016 svchost.exe Token: SeTakeOwnershipPrivilege 3784 WaaSMedicAgent.exe Token: SeSecurityPrivilege 3784 WaaSMedicAgent.exe Token: SeRestorePrivilege 3784 WaaSMedicAgent.exe Token: SeBackupPrivilege 3784 WaaSMedicAgent.exe Token: SeShutdownPrivilege 648 svchost.exe Token: SeCreatePagefilePrivilege 648 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2416 2016 svchost.exe 85 PID 2016 wrote to memory of 2416 2016 svchost.exe 85 PID 504 wrote to memory of 4800 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 97 PID 504 wrote to memory of 4800 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 97 PID 504 wrote to memory of 4800 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 97 PID 504 wrote to memory of 2908 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 98 PID 504 wrote to memory of 2908 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 98 PID 504 wrote to memory of 2908 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 98 PID 504 wrote to memory of 3784 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 101 PID 504 wrote to memory of 3784 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 101 PID 504 wrote to memory of 3784 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 101 PID 504 wrote to memory of 1580 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 102 PID 504 wrote to memory of 1580 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 102 PID 504 wrote to memory of 1580 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 102 PID 504 wrote to memory of 2276 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 103 PID 504 wrote to memory of 2276 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 103 PID 504 wrote to memory of 2276 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 103 PID 504 wrote to memory of 2156 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 107 PID 504 wrote to memory of 2156 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 107 PID 504 wrote to memory of 2156 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 107 PID 504 wrote to memory of 4344 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 108 PID 504 wrote to memory of 4344 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 108 PID 504 wrote to memory of 4344 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 108 PID 504 wrote to memory of 556 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 111 PID 504 wrote to memory of 556 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 111 PID 504 wrote to memory of 556 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 111 PID 504 wrote to memory of 3688 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 110 PID 504 wrote to memory of 3688 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 110 PID 504 wrote to memory of 3688 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 110 PID 3688 wrote to memory of 4012 3688 net.exe 116 PID 3688 wrote to memory of 4012 3688 net.exe 116 PID 3688 wrote to memory of 4012 3688 net.exe 116 PID 4344 wrote to memory of 1516 4344 net.exe 119 PID 4344 wrote to memory of 1516 4344 net.exe 119 PID 4344 wrote to memory of 1516 4344 net.exe 119 PID 2156 wrote to memory of 4784 2156 net.exe 117 PID 2156 wrote to memory of 4784 2156 net.exe 117 PID 2156 wrote to memory of 4784 2156 net.exe 117 PID 556 wrote to memory of 4860 556 net.exe 118 PID 556 wrote to memory of 4860 556 net.exe 118 PID 556 wrote to memory of 4860 556 net.exe 118 PID 504 wrote to memory of 1448 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 123 PID 504 wrote to memory of 1448 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 123 PID 504 wrote to memory of 1448 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 123 PID 504 wrote to memory of 1200 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 124 PID 504 wrote to memory of 1200 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 124 PID 504 wrote to memory of 1200 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 124 PID 1448 wrote to memory of 4440 1448 net.exe 127 PID 1448 wrote to memory of 4440 1448 net.exe 127 PID 1448 wrote to memory of 4440 1448 net.exe 127 PID 1200 wrote to memory of 1904 1200 net.exe 128 PID 1200 wrote to memory of 1904 1200 net.exe 128 PID 1200 wrote to memory of 1904 1200 net.exe 128 PID 504 wrote to memory of 4056 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 129 PID 504 wrote to memory of 4056 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 129 PID 504 wrote to memory of 4056 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 129 PID 504 wrote to memory of 6128 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 131 PID 504 wrote to memory of 6128 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 131 PID 504 wrote to memory of 6128 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 131 PID 504 wrote to memory of 6952 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 132 PID 504 wrote to memory of 6952 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 132 PID 504 wrote to memory of 6952 504 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe 132 PID 6128 wrote to memory of 7140 6128 net.exe 135 PID 6128 wrote to memory of 7140 6128 net.exe 135
Processes
-
C:\Users\Admin\AppData\Local\Temp\781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:504 -
C:\Users\Admin\AppData\Local\Temp\XHAzJeogsrep.exe"C:\Users\Admin\AppData\Local\Temp\XHAzJeogsrep.exe" 9 REP2⤵
- Executes dropped EXE
PID:4800
-
-
C:\Users\Admin\AppData\Local\Temp\ALTvQGCUzlan.exe"C:\Users\Admin\AppData\Local\Temp\ALTvQGCUzlan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:2908
-
-
C:\Users\Admin\AppData\Local\Temp\vUbFAtJIxlan.exe"C:\Users\Admin\AppData\Local\Temp\vUbFAtJIxlan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:3784
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1580
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:2276
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:4784
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:1516
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:4012
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:4860
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:4440
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:1904
-
-
-
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /CREATE /NP /SC DAILY /TN "Printbd" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\ISXLC.dll" /ST 10:25 /SD 10/27/2021 /ED 11/03/20212⤵
- Creates scheduled task(s)
PID:4056
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:6128 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:7140
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:6952
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:4076
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:8036
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:8392
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:8292
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:7780
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:3388
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:8440
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:8224
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:7484
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:8684
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:7484
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:772
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:8132
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:3580
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:8776
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:3584
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:8124
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:8792
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:9804
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:9444
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:9472
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:11240
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:11108
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:10440
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:3240
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:1496
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:11884
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:11588
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:10780
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:12208
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:11812
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:11448
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:10764
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:11724
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:7668
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:11776
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:10488
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:10848
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:11644
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:11380
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:11688
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:11776
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:11556
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:11660
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:10764
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:11424
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:12208
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:11384
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:11940
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:14732
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:15080
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:13548
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:15276
-
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 376e07a0ba51a492cb17379848b52f46 lFyBKUogyk6jKtdgwC+PlQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵PID:2416
-
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵PID:3984
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 376e07a0ba51a492cb17379848b52f46 lFyBKUogyk6jKtdgwC+PlQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
PID:1580