ryuk | def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86

Analysis

max time kernel
168s
max time network
32s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
Size

202KB
MD5

19c2252f877112192dd1112dde32e3d4
SHA1

33f7c585527d012ba115d313003ca52b0fabcdb6
SHA256

def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86
SHA512

4f639986b6464c5b7802ed8f4bb2f069489da5ea556181db51b0ced62cf9e0f2afc8287d99b7a3678ed9402b629f4205dd8a92c4f4862977b2294f7df2a941bc

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 61 IoCs

Processes:

def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\SendTo\Desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Searches\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\Sample Music\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\Sample Videos\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Saved Games\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe

pid	process
1820	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
1820	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
1820	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe

description pid process

Token: SeBackupPrivilege 1820 def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe

description	pid	process
Token: SeBackupPrivilege	1820	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1820 wrote to memory of 524	1820	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	net.exe
PID 1820 wrote to memory of 524	1820	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	net.exe
PID 1820 wrote to memory of 524	1820	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	net.exe
PID 1820 wrote to memory of 1652	1820	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	net.exe
PID 1820 wrote to memory of 1652	1820	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	net.exe
PID 1820 wrote to memory of 1652	1820	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	net.exe
PID 524 wrote to memory of 1744	524	net.exe	net1.exe
PID 1652 wrote to memory of 1772	1652	net.exe	net1.exe
PID 1652 wrote to memory of 1772	1652	net.exe	net1.exe
PID 1652 wrote to memory of 1772	1652	net.exe	net1.exe
PID 524 wrote to memory of 1744	524	net.exe	net1.exe
PID 524 wrote to memory of 1744	524	net.exe	net1.exe
PID 1820 wrote to memory of 15176	1820	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	net.exe
PID 1820 wrote to memory of 15176	1820	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	net.exe
PID 1820 wrote to memory of 15176	1820	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	net.exe
PID 15176 wrote to memory of 15320	15176	net.exe	net1.exe
PID 15176 wrote to memory of 15320	15176	net.exe	net1.exe
PID 15176 wrote to memory of 15320	15176	net.exe	net1.exe
PID 1820 wrote to memory of 740	1820	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	net.exe
PID 1820 wrote to memory of 740	1820	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	net.exe
PID 1820 wrote to memory of 740	1820	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	net.exe
PID 740 wrote to memory of 680	740	net.exe	net1.exe
PID 740 wrote to memory of 680	740	net.exe	net1.exe
PID 740 wrote to memory of 680	740	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
"C:\Users\Admin\AppData\Local\Temp\def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1744

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1772

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:15176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:15320

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:680

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads