Analysis
-
max time kernel
51s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14-04-2021 06:42
Static task
static1
Behavioral task
behavioral1
Sample
wyooy@aol.com.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
wyooy@aol.com.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
wyooy@aol.com.exe
-
Size
1.3MB
-
MD5
645d774a869c582b2c46beed455321d4
-
SHA1
e94862c25377373f54ce668051df0d95d3746514
-
SHA256
21420b8630260dae7f0ea14a319a8b3ae6910def98599109b365f710e835b9c4
-
SHA512
2c7cc053ed79e52f7e2ae508d2d832e6efa0b9a24dc71158fbc25d829c3d9ad8aa8f5c04e7fff94152dacc04cc1d7604da147ee201d900efcbcc62fe95f15b81
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Drops desktop.ini file(s) 7 IoCs
Processes:
wyooy@aol.com.exedescription ioc process File opened for modification C:\Program Files\desktop.ini wyooy@aol.com.exe File created C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini wyooy@aol.com.exe File created C:\Program Files\desktop.ini wyooy@aol.com.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini wyooy@aol.com.exe File created C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI wyooy@aol.com.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini wyooy@aol.com.exe -
Drops file in Program Files directory 64 IoCs
Processes:
wyooy@aol.com.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msowerrelief.dll.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNBI.TTF.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File created C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.ConnectionUI.Dialog.dll.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\resources.jar wyooy@aol.com.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.LEX.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\BackupDismount.3gp.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms wyooy@aol.com.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util.xml.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages@4x.png wyooy@aol.com.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sv.pak wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\TIME.XML wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_ja.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\US_export_policy.jar wyooy@aol.com.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\manifest.json.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-explorer.xml wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOCR.DLL wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PowerPointCombinedFloatieModel.bin.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_ja.jar wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Themes.dll.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_zh_CN.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\MANIFEST.MF.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png wyooy@aol.com.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\Training.potx wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.AuditItems.Resources.dll wyooy@aol.com.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sk.pak.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\upe.dll wyooy@aol.com.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessCompare.rdlc wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll wyooy@aol.com.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoCanary.png.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ko_KR.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.[wyooy@tutanota.com][MJ-QJ7862543901].hydra wyooy@aol.com.exe -
NTFS ADS 2 IoCs
Processes:
wyooy@aol.com.exedescription ioc process File opened for modification C:\Documents and Settings\zh-TW\8:늨Qŭt.ex wyooy@aol.com.exe File opened for modification C:\Documents and Settings\zh-TW\8:둘QƁt.ex wyooy@aol.com.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
wyooy@aol.com.exepid process 1000 wyooy@aol.com.exe 1000 wyooy@aol.com.exe 1000 wyooy@aol.com.exe 1000 wyooy@aol.com.exe 1000 wyooy@aol.com.exe 1000 wyooy@aol.com.exe 1000 wyooy@aol.com.exe 1000 wyooy@aol.com.exe 1000 wyooy@aol.com.exe 1000 wyooy@aol.com.exe 1000 wyooy@aol.com.exe 1000 wyooy@aol.com.exe 1000 wyooy@aol.com.exe 1000 wyooy@aol.com.exe 1000 wyooy@aol.com.exe 1000 wyooy@aol.com.exe 1000 wyooy@aol.com.exe 1000 wyooy@aol.com.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
wyooy@aol.com.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.exenet.exedescription pid process target process PID 1000 wrote to memory of 2548 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 2548 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 2548 1000 wyooy@aol.com.exe cmd.exe PID 2548 wrote to memory of 3540 2548 cmd.exe net.exe PID 2548 wrote to memory of 3540 2548 cmd.exe net.exe PID 2548 wrote to memory of 3540 2548 cmd.exe net.exe PID 3540 wrote to memory of 636 3540 net.exe net1.exe PID 3540 wrote to memory of 636 3540 net.exe net1.exe PID 3540 wrote to memory of 636 3540 net.exe net1.exe PID 1000 wrote to memory of 3000 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 3000 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 3000 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 3028 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 3028 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 3028 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 1196 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 1196 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 1196 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 3716 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 3716 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 3716 1000 wyooy@aol.com.exe cmd.exe PID 3716 wrote to memory of 3892 3716 cmd.exe net.exe PID 3716 wrote to memory of 3892 3716 cmd.exe net.exe PID 3716 wrote to memory of 3892 3716 cmd.exe net.exe PID 3892 wrote to memory of 1016 3892 net.exe net1.exe PID 3892 wrote to memory of 1016 3892 net.exe net1.exe PID 3892 wrote to memory of 1016 3892 net.exe net1.exe PID 1000 wrote to memory of 3184 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 3184 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 3184 1000 wyooy@aol.com.exe cmd.exe PID 3184 wrote to memory of 2560 3184 cmd.exe net.exe PID 3184 wrote to memory of 2560 3184 cmd.exe net.exe PID 3184 wrote to memory of 2560 3184 cmd.exe net.exe PID 2560 wrote to memory of 2880 2560 net.exe net1.exe PID 2560 wrote to memory of 2880 2560 net.exe net1.exe PID 2560 wrote to memory of 2880 2560 net.exe net1.exe PID 1000 wrote to memory of 204 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 204 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 204 1000 wyooy@aol.com.exe cmd.exe PID 204 wrote to memory of 1588 204 cmd.exe net.exe PID 204 wrote to memory of 1588 204 cmd.exe net.exe PID 204 wrote to memory of 1588 204 cmd.exe net.exe PID 1588 wrote to memory of 2908 1588 net.exe net1.exe PID 1588 wrote to memory of 2908 1588 net.exe net1.exe PID 1588 wrote to memory of 2908 1588 net.exe net1.exe PID 1000 wrote to memory of 1308 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 1308 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 1308 1000 wyooy@aol.com.exe cmd.exe PID 1308 wrote to memory of 2700 1308 cmd.exe netsh.exe PID 1308 wrote to memory of 2700 1308 cmd.exe netsh.exe PID 1308 wrote to memory of 2700 1308 cmd.exe netsh.exe PID 1000 wrote to memory of 3176 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 3176 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 3176 1000 wyooy@aol.com.exe cmd.exe PID 3176 wrote to memory of 1196 3176 cmd.exe netsh.exe PID 3176 wrote to memory of 1196 3176 cmd.exe netsh.exe PID 3176 wrote to memory of 1196 3176 cmd.exe netsh.exe PID 1000 wrote to memory of 3924 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 3924 1000 wyooy@aol.com.exe cmd.exe PID 1000 wrote to memory of 3924 1000 wyooy@aol.com.exe cmd.exe PID 3924 wrote to memory of 2136 3924 cmd.exe net.exe PID 3924 wrote to memory of 2136 3924 cmd.exe net.exe PID 3924 wrote to memory of 2136 3924 cmd.exe net.exe PID 2136 wrote to memory of 2608 2136 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\wyooy@aol.com.exe"C:\Users\Admin\AppData\Local\Temp\wyooy@aol.com.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSDTC2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSDTC3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSDTC4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SQLSERVERAGENT3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop vds2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop vds3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vds4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLWriter2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLBrowser2⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO12⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$CONTOSO13⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$CONTOSO14⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/204-126-0x0000000000000000-mapping.dmp
-
memory/636-116-0x0000000000000000-mapping.dmp
-
memory/1016-122-0x0000000000000000-mapping.dmp
-
memory/1196-119-0x0000000000000000-mapping.dmp
-
memory/1196-132-0x0000000000000000-mapping.dmp
-
memory/1308-129-0x0000000000000000-mapping.dmp
-
memory/1328-142-0x0000000000000000-mapping.dmp
-
memory/1492-143-0x0000000000000000-mapping.dmp
-
memory/1588-127-0x0000000000000000-mapping.dmp
-
memory/2136-134-0x0000000000000000-mapping.dmp
-
memory/2548-114-0x0000000000000000-mapping.dmp
-
memory/2560-124-0x0000000000000000-mapping.dmp
-
memory/2608-135-0x0000000000000000-mapping.dmp
-
memory/2664-138-0x0000000000000000-mapping.dmp
-
memory/2700-130-0x0000000000000000-mapping.dmp
-
memory/2880-125-0x0000000000000000-mapping.dmp
-
memory/2888-140-0x0000000000000000-mapping.dmp
-
memory/2908-128-0x0000000000000000-mapping.dmp
-
memory/3000-117-0x0000000000000000-mapping.dmp
-
memory/3028-118-0x0000000000000000-mapping.dmp
-
memory/3176-131-0x0000000000000000-mapping.dmp
-
memory/3184-123-0x0000000000000000-mapping.dmp
-
memory/3184-137-0x0000000000000000-mapping.dmp
-
memory/3420-141-0x0000000000000000-mapping.dmp
-
memory/3452-139-0x0000000000000000-mapping.dmp
-
memory/3540-115-0x0000000000000000-mapping.dmp
-
memory/3548-144-0x0000000000000000-mapping.dmp
-
memory/3716-120-0x0000000000000000-mapping.dmp
-
memory/3828-136-0x0000000000000000-mapping.dmp
-
memory/3892-121-0x0000000000000000-mapping.dmp
-
memory/3924-133-0x0000000000000000-mapping.dmp