Analysis
-
max time kernel
188s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
20-02-2022 08:45
Static task
static1
Behavioral task
behavioral1
Sample
30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe
Resource
win10v2004-en-20220112
General
-
Target
30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe
-
Size
208KB
-
MD5
c596f71c6048997c88e80b57f045b891
-
SHA1
ed2b5d11f20648a49a11be1795be5632c412879d
-
SHA256
30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122
-
SHA512
e18effe825ca1355bafcaf1da41bdf0485bab3af2898d963c059b922f03c2128756da679667b6480234bb3daed4b2e2a366241782f9f4b404ca7897683cc11eb
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 4484 created 228 4484 WerFault.exe 31 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe -
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini sihost.exe File opened for modification C:\Documents and Settings\Admin\3D Objects\desktop.ini sihost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4292 2732 WerFault.exe 47 5260 228 WerFault.exe 31 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 19 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-790714498-1549421491-1643397139-1000\{EBFFE777-2597-406A-AF95-44B0BF50C46A} RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp RuntimeBroker.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 2240 sihost.exe 2240 sihost.exe 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 2240 sihost.exe 2240 sihost.exe 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe Token: SeBackupPrivilege 2240 sihost.exe Token: SeBackupPrivilege 2844 StartMenuExperienceHost.exe Token: SeBackupPrivilege 228 backgroundTaskHost.exe Token: SeBackupPrivilege 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe Token: SeShutdownPrivilege 2908 RuntimeBroker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4896 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2240 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 52 PID 2036 wrote to memory of 2252 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 51 PID 2036 wrote to memory of 2296 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 50 PID 2036 wrote to memory of 2536 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 48 PID 2036 wrote to memory of 2732 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 47 PID 2036 wrote to memory of 2844 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 46 PID 2036 wrote to memory of 2908 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 24 PID 2036 wrote to memory of 2992 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 45 PID 2036 wrote to memory of 3116 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 28 PID 2036 wrote to memory of 3516 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 26 PID 2036 wrote to memory of 2900 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 41 PID 2036 wrote to memory of 116 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 32 PID 2036 wrote to memory of 228 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 31 PID 2732 wrote to memory of 4292 2732 DllHost.exe 63 PID 2732 wrote to memory of 4292 2732 DllHost.exe 63 PID 2240 wrote to memory of 4700 2240 sihost.exe 65 PID 2240 wrote to memory of 4700 2240 sihost.exe 65 PID 2036 wrote to memory of 4856 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 67 PID 2036 wrote to memory of 4856 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 67 PID 2036 wrote to memory of 4864 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 66 PID 2036 wrote to memory of 4864 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 66 PID 2240 wrote to memory of 4928 2240 sihost.exe 69 PID 2240 wrote to memory of 4928 2240 sihost.exe 69 PID 2036 wrote to memory of 3200 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 75 PID 2036 wrote to memory of 3200 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 75 PID 2036 wrote to memory of 4384 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 76 PID 2036 wrote to memory of 4384 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 76 PID 4856 wrote to memory of 5072 4856 net.exe 80 PID 4856 wrote to memory of 5072 4856 net.exe 80 PID 4864 wrote to memory of 2204 4864 net.exe 77 PID 4864 wrote to memory of 2204 4864 net.exe 77 PID 4928 wrote to memory of 1608 4928 net.exe 79 PID 4928 wrote to memory of 1608 4928 net.exe 79 PID 4700 wrote to memory of 4892 4700 net.exe 78 PID 4700 wrote to memory of 4892 4700 net.exe 78 PID 3200 wrote to memory of 5568 3200 net.exe 85 PID 3200 wrote to memory of 5568 3200 net.exe 85 PID 4384 wrote to memory of 5576 4384 net.exe 84 PID 4384 wrote to memory of 5576 4384 net.exe 84 PID 4484 wrote to memory of 228 4484 WerFault.exe 31 PID 4484 wrote to memory of 228 4484 WerFault.exe 31 PID 2240 wrote to memory of 5968 2240 sihost.exe 86 PID 2240 wrote to memory of 5968 2240 sihost.exe 86 PID 5968 wrote to memory of 6020 5968 net.exe 88 PID 5968 wrote to memory of 6020 5968 net.exe 88 PID 2240 wrote to memory of 6040 2240 sihost.exe 89 PID 2240 wrote to memory of 6040 2240 sihost.exe 89 PID 6040 wrote to memory of 6092 6040 net.exe 91 PID 6040 wrote to memory of 6092 6040 net.exe 91 PID 2036 wrote to memory of 6140 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 92 PID 2036 wrote to memory of 6140 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 92 PID 2036 wrote to memory of 5272 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 94 PID 2036 wrote to memory of 5272 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 94 PID 2036 wrote to memory of 5264 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 96 PID 2036 wrote to memory of 5264 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 96 PID 6140 wrote to memory of 2628 6140 net.exe 98 PID 6140 wrote to memory of 2628 6140 net.exe 98 PID 5264 wrote to memory of 2308 5264 net.exe 99 PID 5264 wrote to memory of 2308 5264 net.exe 99 PID 5272 wrote to memory of 2160 5272 net.exe 100 PID 5272 wrote to memory of 2160 5272 net.exe 100 PID 2036 wrote to memory of 4464 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 101 PID 2036 wrote to memory of 4464 2036 30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe 101 PID 4464 wrote to memory of 396 4464 net.exe 103
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3516
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3116
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
- Suspicious use of AdjustPrivilegeToken
PID:228 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 228 -s 30082⤵
- Program crash
PID:5260
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:116
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:2900
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2992
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2732 -s 9762⤵
- Program crash
PID:4292
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵PID:2536
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵PID:2252
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:4892
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:1608
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5968 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:6020
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:6040 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:6092
-
-
-
C:\Users\Admin\AppData\Local\Temp\30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe"C:\Users\Admin\AppData\Local\Temp\30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:2204
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:5072
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:5568
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:5576
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:6140 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:2628
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5272 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:2160
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5264 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:2308
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:396
-
-
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:656
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 228 -ip 2281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4484
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4896
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Modifies data under HKEY_USERS
PID:4988