ryuk | c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10

Analysis

max time kernel
170s
max time network
149s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
Size

192KB
MD5

ac4845378d6e9585c758efeffe713857
SHA1

4febb67955fa4743db70dad7481702bb46f60d69
SHA256

c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10
SHA512

6edaf5e417087b428feaa81214bad3deab967462b6448f6252a413f839a32dcc40cd6be369284a8d940ad1b0804bbc6a85ae22a179af9d7a5cb780658009c874

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
884	nVwfPDf.exe

Loads dropped DLL 2 IoCs

pid	Process
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
384	icacls.exe
1528	icacls.exe
1820	icacls.exe
1824	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nVwfPDf.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1476	vssadmin.exe
1328	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
884	nVwfPDf.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
884	nVwfPDf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
Token: SeBackupPrivilege	884	nVwfPDf.exe
Token: SeBackupPrivilege	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
Token: SeBackupPrivilege	2220	vssvc.exe
Token: SeRestorePrivilege	2220	vssvc.exe
Token: SeAuditPrivilege	2220	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1952	WMIC.exe
Token: SeSecurityPrivilege	1952	WMIC.exe
Token: SeTakeOwnershipPrivilege	1952	WMIC.exe
Token: SeLoadDriverPrivilege	1952	WMIC.exe
Token: SeSystemProfilePrivilege	1952	WMIC.exe
Token: SeSystemtimePrivilege	1952	WMIC.exe
Token: SeProfSingleProcessPrivilege	1952	WMIC.exe
Token: SeIncBasePriorityPrivilege	1952	WMIC.exe
Token: SeCreatePagefilePrivilege	1952	WMIC.exe
Token: SeBackupPrivilege	1952	WMIC.exe
Token: SeRestorePrivilege	1952	WMIC.exe
Token: SeShutdownPrivilege	1952	WMIC.exe
Token: SeDebugPrivilege	1952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1952	WMIC.exe
Token: SeRemoteShutdownPrivilege	1952	WMIC.exe
Token: SeUndockPrivilege	1952	WMIC.exe
Token: SeManageVolumePrivilege	1952	WMIC.exe
Token: 33	1952	WMIC.exe
Token: 34	1952	WMIC.exe
Token: 35	1952	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1752	WMIC.exe
Token: SeSecurityPrivilege	1752	WMIC.exe
Token: SeTakeOwnershipPrivilege	1752	WMIC.exe
Token: SeLoadDriverPrivilege	1752	WMIC.exe
Token: SeSystemProfilePrivilege	1752	WMIC.exe
Token: SeSystemtimePrivilege	1752	WMIC.exe
Token: SeProfSingleProcessPrivilege	1752	WMIC.exe
Token: SeIncBasePriorityPrivilege	1752	WMIC.exe
Token: SeCreatePagefilePrivilege	1752	WMIC.exe
Token: SeBackupPrivilege	1752	WMIC.exe
Token: SeRestorePrivilege	1752	WMIC.exe
Token: SeShutdownPrivilege	1752	WMIC.exe
Token: SeDebugPrivilege	1752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1752	WMIC.exe
Token: SeRemoteShutdownPrivilege	1752	WMIC.exe
Token: SeUndockPrivilege	1752	WMIC.exe
Token: SeManageVolumePrivilege	1752	WMIC.exe
Token: 33	1752	WMIC.exe
Token: 34	1752	WMIC.exe
Token: 35	1752	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1952	WMIC.exe
Token: SeSecurityPrivilege	1952	WMIC.exe
Token: SeTakeOwnershipPrivilege	1952	WMIC.exe
Token: SeLoadDriverPrivilege	1952	WMIC.exe
Token: SeSystemProfilePrivilege	1952	WMIC.exe
Token: SeSystemtimePrivilege	1952	WMIC.exe
Token: SeProfSingleProcessPrivilege	1952	WMIC.exe
Token: SeIncBasePriorityPrivilege	1952	WMIC.exe
Token: SeCreatePagefilePrivilege	1952	WMIC.exe
Token: SeBackupPrivilege	1952	WMIC.exe
Token: SeRestorePrivilege	1952	WMIC.exe
Token: SeShutdownPrivilege	1952	WMIC.exe
Token: SeDebugPrivilege	1952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1952	WMIC.exe
Token: SeRemoteShutdownPrivilege	1952	WMIC.exe
Token: SeUndockPrivilege	1952	WMIC.exe
Token: SeManageVolumePrivilege	1952	WMIC.exe
Token: 33	1952	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 884	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	27
PID 820 wrote to memory of 884	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	27
PID 820 wrote to memory of 884	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	27
PID 820 wrote to memory of 884	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	27
PID 820 wrote to memory of 1112	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	17
PID 820 wrote to memory of 1176	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	15
PID 884 wrote to memory of 384	884	nVwfPDf.exe	28
PID 884 wrote to memory of 384	884	nVwfPDf.exe	28
PID 884 wrote to memory of 384	884	nVwfPDf.exe	28
PID 884 wrote to memory of 384	884	nVwfPDf.exe	28
PID 884 wrote to memory of 1528	884	nVwfPDf.exe	29
PID 884 wrote to memory of 1528	884	nVwfPDf.exe	29
PID 884 wrote to memory of 1528	884	nVwfPDf.exe	29
PID 884 wrote to memory of 1528	884	nVwfPDf.exe	29
PID 820 wrote to memory of 1904	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	32
PID 820 wrote to memory of 1904	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	32
PID 820 wrote to memory of 1904	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	32
PID 820 wrote to memory of 1904	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	32
PID 820 wrote to memory of 392	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	34
PID 820 wrote to memory of 392	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	34
PID 820 wrote to memory of 392	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	34
PID 820 wrote to memory of 392	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	34
PID 884 wrote to memory of 1064	884	nVwfPDf.exe	36
PID 884 wrote to memory of 1064	884	nVwfPDf.exe	36
PID 884 wrote to memory of 1064	884	nVwfPDf.exe	36
PID 884 wrote to memory of 1064	884	nVwfPDf.exe	36
PID 884 wrote to memory of 1476	884	nVwfPDf.exe	38
PID 884 wrote to memory of 1476	884	nVwfPDf.exe	38
PID 884 wrote to memory of 1476	884	nVwfPDf.exe	38
PID 884 wrote to memory of 1476	884	nVwfPDf.exe	38
PID 820 wrote to memory of 1820	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	40
PID 820 wrote to memory of 1820	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	40
PID 820 wrote to memory of 1820	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	40
PID 820 wrote to memory of 1820	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	40
PID 820 wrote to memory of 1824	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	41
PID 820 wrote to memory of 1824	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	41
PID 820 wrote to memory of 1824	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	41
PID 820 wrote to memory of 1824	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	41
PID 820 wrote to memory of 1944	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	46
PID 820 wrote to memory of 1944	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	46
PID 820 wrote to memory of 1944	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	46
PID 820 wrote to memory of 1944	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	46
PID 820 wrote to memory of 1328	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	43
PID 820 wrote to memory of 1328	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	43
PID 820 wrote to memory of 1328	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	43
PID 820 wrote to memory of 1328	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	43
PID 884 wrote to memory of 1160	884	nVwfPDf.exe	48
PID 884 wrote to memory of 1160	884	nVwfPDf.exe	48
PID 884 wrote to memory of 1160	884	nVwfPDf.exe	48
PID 884 wrote to memory of 1160	884	nVwfPDf.exe	48
PID 820 wrote to memory of 1704	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	50
PID 820 wrote to memory of 1704	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	50
PID 820 wrote to memory of 1704	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	50
PID 820 wrote to memory of 1704	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	50
PID 820 wrote to memory of 1416	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	52
PID 820 wrote to memory of 1416	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	52
PID 820 wrote to memory of 1416	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	52
PID 820 wrote to memory of 1416	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	52
PID 820 wrote to memory of 612	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	54
PID 820 wrote to memory of 612	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	54
PID 820 wrote to memory of 612	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	54
PID 820 wrote to memory of 612	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	54
PID 1416 wrote to memory of 1480	1416	cmd.exe	56
PID 1416 wrote to memory of 1480	1416	cmd.exe	56

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
"C:\Users\Admin\AppData\Local\Temp\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820
- C:\Users\Admin\AppData\Local\Temp\nVwfPDf.exe
  "C:\Users\Admin\AppData\Local\Temp\nVwfPDf.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:384
- - C:\Windows\SysWOW64\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "WMIC.exe shadowcopy delet"
    3⤵
    PID:1064
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC.exe shadowcopy delet
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1752
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1476
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    PID:1160
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:2140
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\nVwfPDf.exe" /f /reg:64
    3⤵
    PID:1028
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\nVwfPDf.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      PID:2700
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:36804
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:36828
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2124
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2116
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1820
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1824
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "WMIC.exe shadowcopy delet"
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delet
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2132
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe" /f /reg:64
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:1480
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2160
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:24564
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:23688
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:26756
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:27452
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:36684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:36708
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:36724
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:36748

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/820-55-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download
memory/1112-60-0x0000000030000000-0x000000003016F000-memory.dmp

Filesize
1.4MB

Download