Analysis
-
max time kernel
176s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
20-02-2022 07:12
Static task
static1
Behavioral task
behavioral1
Sample
56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
Resource
win10v2004-en-20220112
General
-
Target
56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
-
Size
202KB
-
MD5
ab390eb9f4302cb3ecfbf63027e177ca
-
SHA1
1b84a4c57c6e54a13db6cd49b7e1673b97d02d0f
-
SHA256
56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177
-
SHA512
ce7152a2a844a7e2fc7134e5125823ebdcc355191f73d687af282b8f3b3f123a68990e51402d35d6ac6ebf44ac8abe54303cb381b946868316415b8caa1e2d77
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
description pid Process procid_target PID 5080 created 1180 5080 WerFault.exe 57 PID 4556 created 2908 4556 WerFault.exe 44 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe -
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\Documents and Settings\Admin\3D Objects\desktop.ini sihost.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini sihost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 4476 2812 WerFault.exe 45 5792 1180 WerFault.exe 57 5784 2908 WerFault.exe 44 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System RuntimeBroker.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 2284 sihost.exe 2284 sihost.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 2284 sihost.exe 2284 sihost.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 4476 WerFault.exe 5792 WerFault.exe 5792 WerFault.exe 4476 WerFault.exe 5784 WerFault.exe 5784 WerFault.exe 2284 sihost.exe 2284 sihost.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe Token: SeBackupPrivilege 2284 sihost.exe Token: SeBackupPrivilege 2908 StartMenuExperienceHost.exe Token: SeBackupPrivilege 1180 BackgroundTransferHost.exe Token: SeBackupPrivilege 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3384 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3172 wrote to memory of 2284 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 19 PID 3172 wrote to memory of 2304 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 20 PID 3172 wrote to memory of 2344 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 21 PID 3172 wrote to memory of 2612 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 23 PID 3172 wrote to memory of 2812 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 45 PID 3172 wrote to memory of 2908 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 44 PID 3172 wrote to memory of 3008 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 43 PID 3172 wrote to memory of 772 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 42 PID 3172 wrote to memory of 3128 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 41 PID 3172 wrote to memory of 3516 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 39 PID 3172 wrote to memory of 3384 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 34 PID 3172 wrote to memory of 3372 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 28 PID 3172 wrote to memory of 1180 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 57 PID 2812 wrote to memory of 4476 2812 DllHost.exe 63 PID 2812 wrote to memory of 4476 2812 DllHost.exe 63 PID 3172 wrote to memory of 4528 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 65 PID 3172 wrote to memory of 4528 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 65 PID 3172 wrote to memory of 4752 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 68 PID 3172 wrote to memory of 4752 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 68 PID 2284 wrote to memory of 4732 2284 sihost.exe 67 PID 2284 wrote to memory of 4732 2284 sihost.exe 67 PID 2284 wrote to memory of 5172 2284 sihost.exe 72 PID 2284 wrote to memory of 5172 2284 sihost.exe 72 PID 2284 wrote to memory of 5228 2284 sihost.exe 74 PID 2284 wrote to memory of 5228 2284 sihost.exe 74 PID 3172 wrote to memory of 5284 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 76 PID 3172 wrote to memory of 5284 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 76 PID 3172 wrote to memory of 5440 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 78 PID 3172 wrote to memory of 5440 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 78 PID 4732 wrote to memory of 5488 4732 net.exe 83 PID 4732 wrote to memory of 5488 4732 net.exe 83 PID 3172 wrote to memory of 5500 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 82 PID 3172 wrote to memory of 5500 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 82 PID 4528 wrote to memory of 5520 4528 net.exe 80 PID 4528 wrote to memory of 5520 4528 net.exe 80 PID 4752 wrote to memory of 5528 4752 net.exe 79 PID 4752 wrote to memory of 5528 4752 net.exe 79 PID 5172 wrote to memory of 5536 5172 net.exe 84 PID 5172 wrote to memory of 5536 5172 net.exe 84 PID 5228 wrote to memory of 5544 5228 net.exe 85 PID 5228 wrote to memory of 5544 5228 net.exe 85 PID 3172 wrote to memory of 5564 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 87 PID 3172 wrote to memory of 5564 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 87 PID 5500 wrote to memory of 5656 5500 net.exe 89 PID 5500 wrote to memory of 5656 5500 net.exe 89 PID 5440 wrote to memory of 5744 5440 net.exe 92 PID 5440 wrote to memory of 5744 5440 net.exe 92 PID 5284 wrote to memory of 5760 5284 net.exe 90 PID 5284 wrote to memory of 5760 5284 net.exe 90 PID 5564 wrote to memory of 5752 5564 net.exe 91 PID 5564 wrote to memory of 5752 5564 net.exe 91 PID 5080 wrote to memory of 1180 5080 WerFault.exe 57 PID 4556 wrote to memory of 2908 4556 WerFault.exe 44 PID 4556 wrote to memory of 2908 4556 WerFault.exe 44 PID 5080 wrote to memory of 1180 5080 WerFault.exe 57 PID 2284 wrote to memory of 5336 2284 sihost.exe 95 PID 2284 wrote to memory of 5336 2284 sihost.exe 95 PID 3172 wrote to memory of 5368 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 97 PID 3172 wrote to memory of 5368 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 97 PID 3172 wrote to memory of 5384 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 100 PID 3172 wrote to memory of 5384 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 100 PID 5336 wrote to memory of 5508 5336 net.exe 101 PID 5336 wrote to memory of 5508 5336 net.exe 101 PID 5368 wrote to memory of 2100 5368 net.exe 102
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:5488
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5172 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:5536
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5228 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:5544
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5336 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:5508
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵PID:5704
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:5168
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:6096
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:5272
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵PID:3908
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:1464
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵PID:2776
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:5776
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:4040
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:4512
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵PID:2304
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵PID:2612
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3372
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3384
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3516
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3128
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:772
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3008
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2908 -s 33002⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:5784
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2812 -s 9442⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4476
-
-
C:\Users\Admin\AppData\Local\Temp\56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe"C:\Users\Admin\AppData\Local\Temp\56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:5520
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:5528
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5284 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:5760
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5440 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:5744
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5500 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:5656
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5564 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:5752
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5368 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:2100
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵PID:5384
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:5588
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵PID:5728
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:1480
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵PID:5720
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:540
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:4600
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:5652
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:6136
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:5664
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵PID:2176
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:5580
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵PID:4088
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:3100
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵PID:3956
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:5244
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵PID:2900
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:4328
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:3876
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:2944
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:3592
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:3004
-
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
- Suspicious use of AdjustPrivilegeToken
PID:1180 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1180 -s 27962⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5792
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 460 -p 1180 -ip 11801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:5080
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 504 -p 2908 -ip 29081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4556