ryuk | 4f6db0454c9afe37d358d1399fe8932bec799eb257df11eccc6ab87358c4efb3

Analysis

max time kernel
289s
max time network
216s
platform
windows7_x64
resource
win7v20210408
submitted
10-06-2021 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35ff457Rk.bin.exe
Size

304KB
MD5

5ecae137bf33ecbb981f3b637b06efc5
SHA1

371e01949b1c7316164021e38d624ffbcba3090a
SHA256

4f6db0454c9afe37d358d1399fe8932bec799eb257df11eccc6ab87358c4efb3
SHA512

753a63b1407b21cec5e50bd5ad7158917926c6502ac43ffb61e99a911371798bb05be2845598640ac018dd7d57ccddf3c1f7736d22d0b2c2edde2eb7188d0331

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'yxFS7vMc'; $torlink = 'http://vqurn5zgys2zd5z5r5fxnfskpzr74i63ehk7ucmrlbvsuszapwoo62qd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://vqurn5zgys2zd5z5r5fxnfskpzr74i63ehk7ucmrlbvsuszapwoo62qd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 2 IoCs

pid	Process
752	1073r.exe
476	qAAiwCztslan.exe

Modifies extensions of user files 26 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\WatchHide.tif.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeConvert.tiff	35ff457Rk.bin.exe
File renamed	C:\Users\Admin\Pictures\GrantFind.png => C:\Users\Admin\Pictures\GrantFind.png.RYK	35ff457Rk.bin.exe
File renamed	C:\Users\Admin\Pictures\RepairSearch.crw => C:\Users\Admin\Pictures\RepairSearch.crw.RYK	35ff457Rk.bin.exe
File renamed	C:\Users\Admin\Pictures\SwitchRestart.tif => C:\Users\Admin\Pictures\SwitchRestart.tif.RYK	35ff457Rk.bin.exe
File renamed	C:\Users\Admin\Pictures\SyncOpen.png => C:\Users\Admin\Pictures\SyncOpen.png.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Users\Admin\Pictures\OutInitialize.crw.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Users\Admin\Pictures\TraceStop.raw.RYK	35ff457Rk.bin.exe
File renamed	C:\Users\Admin\Pictures\GetFind.png => C:\Users\Admin\Pictures\GetFind.png.RYK	35ff457Rk.bin.exe
File renamed	C:\Users\Admin\Pictures\ReadRegister.tiff => C:\Users\Admin\Pictures\ReadRegister.tiff.RYK	35ff457Rk.bin.exe
File renamed	C:\Users\Admin\Pictures\WatchHide.tif => C:\Users\Admin\Pictures\WatchHide.tif.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RepairSearch.crw.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeSync.crw.RYK	35ff457Rk.bin.exe
File renamed	C:\Users\Admin\Pictures\OutInitialize.crw => C:\Users\Admin\Pictures\OutInitialize.crw.RYK	35ff457Rk.bin.exe
File renamed	C:\Users\Admin\Pictures\ResumeSync.crw => C:\Users\Admin\Pictures\ResumeSync.crw.RYK	35ff457Rk.bin.exe
File renamed	C:\Users\Admin\Pictures\TraceStop.raw => C:\Users\Admin\Pictures\TraceStop.raw.RYK	35ff457Rk.bin.exe
File renamed	C:\Users\Admin\Pictures\RenameTest.raw => C:\Users\Admin\Pictures\RenameTest.raw.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RenameTest.raw.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Users\Admin\Pictures\GetFind.png.RYK	35ff457Rk.bin.exe
File renamed	C:\Users\Admin\Pictures\InitializeConvert.tiff => C:\Users\Admin\Pictures\InitializeConvert.tiff.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ReadRegister.tiff	35ff457Rk.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ReadRegister.tiff.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Users\Admin\Pictures\GrantFind.png.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SwitchRestart.tif.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SyncOpen.png.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeConvert.tiff.RYK	35ff457Rk.bin.exe

Loads dropped DLL 4 IoCs

pid	Process
1892	35ff457Rk.bin.exe
1892	35ff457Rk.bin.exe
1892	35ff457Rk.bin.exe
1892	35ff457Rk.bin.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	35ff457Rk.bin.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	35ff457Rk.bin.exe
File opened (read-only)	\??\J:	35ff457Rk.bin.exe
File opened (read-only)	\??\H:	35ff457Rk.bin.exe
File opened (read-only)	\??\G:	35ff457Rk.bin.exe
File opened (read-only)	\??\Y:	35ff457Rk.bin.exe
File opened (read-only)	\??\W:	35ff457Rk.bin.exe
File opened (read-only)	\??\V:	35ff457Rk.bin.exe
File opened (read-only)	\??\T:	35ff457Rk.bin.exe
File opened (read-only)	\??\P:	35ff457Rk.bin.exe
File opened (read-only)	\??\O:	35ff457Rk.bin.exe
File opened (read-only)	\??\K:	35ff457Rk.bin.exe
File opened (read-only)	\??\I:	35ff457Rk.bin.exe
File opened (read-only)	\??\B:	35ff457Rk.bin.exe
File opened (read-only)	\??\U:	35ff457Rk.bin.exe
File opened (read-only)	\??\S:	35ff457Rk.bin.exe
File opened (read-only)	\??\L:	35ff457Rk.bin.exe
File opened (read-only)	\??\E:	35ff457Rk.bin.exe
File opened (read-only)	\??\N:	35ff457Rk.bin.exe
File opened (read-only)	\??\F:	35ff457Rk.bin.exe
File opened (read-only)	\??\Z:	35ff457Rk.bin.exe
File opened (read-only)	\??\X:	35ff457Rk.bin.exe
File opened (read-only)	\??\R:	35ff457Rk.bin.exe
File opened (read-only)	\??\Q:	35ff457Rk.bin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02124_.WMF.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746U.BMP.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21548_.GIF.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-7	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01631_.WMF	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188669.WMF.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG.HXS.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ENVELOPR.DLL.IDX_DLL.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBORDER.XML	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEWSS.DLL.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099204.WMF.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0211949.WMF.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV.HXS.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\RyukReadMe.html	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-5.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0136865.WMF.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART5.BDR.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Singapore	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImageMask.bmp	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPUNCT.XML	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\PREVIEW.GIF.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHPHN.DAT.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN02724_.WMF	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.KR.XML	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Magadan.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\THMBNAIL.PNG	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107514.WMF	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Hardcover.thmx.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\CAGCAT10.DLL.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00623_.WMF	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00784_.WMF	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00555_.WMF	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00703L.GIF	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.HXS.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_left_over.gif.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX8.x3d.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\STUDIO.INF.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18213_.WMF	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\validation.js	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00170_.GIF	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Oral.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL065.XML.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_COL.HXT	35ff457Rk.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PS10TARG.POC	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar.RYK	35ff457Rk.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar.RYK	35ff457Rk.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1892	35ff457Rk.bin.exe
1892	35ff457Rk.bin.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 752	1892	35ff457Rk.bin.exe	29
PID 1892 wrote to memory of 752	1892	35ff457Rk.bin.exe	29
PID 1892 wrote to memory of 752	1892	35ff457Rk.bin.exe	29
PID 1892 wrote to memory of 752	1892	35ff457Rk.bin.exe	29
PID 1892 wrote to memory of 476	1892	35ff457Rk.bin.exe	30
PID 1892 wrote to memory of 476	1892	35ff457Rk.bin.exe	30
PID 1892 wrote to memory of 476	1892	35ff457Rk.bin.exe	30
PID 1892 wrote to memory of 476	1892	35ff457Rk.bin.exe	30
PID 1892 wrote to memory of 1248	1892	35ff457Rk.bin.exe	31
PID 1892 wrote to memory of 1248	1892	35ff457Rk.bin.exe	31
PID 1892 wrote to memory of 1248	1892	35ff457Rk.bin.exe	31
PID 1892 wrote to memory of 1248	1892	35ff457Rk.bin.exe	31
PID 1892 wrote to memory of 912	1892	35ff457Rk.bin.exe	32
PID 1892 wrote to memory of 912	1892	35ff457Rk.bin.exe	32
PID 1892 wrote to memory of 912	1892	35ff457Rk.bin.exe	32
PID 1892 wrote to memory of 912	1892	35ff457Rk.bin.exe	32
PID 1892 wrote to memory of 2036	1892	35ff457Rk.bin.exe	35
PID 1892 wrote to memory of 2036	1892	35ff457Rk.bin.exe	35
PID 1892 wrote to memory of 2036	1892	35ff457Rk.bin.exe	35
PID 1892 wrote to memory of 2036	1892	35ff457Rk.bin.exe	35
PID 1248 wrote to memory of 576	1248	net.exe	41
PID 1248 wrote to memory of 576	1248	net.exe	41
PID 1248 wrote to memory of 576	1248	net.exe	41
PID 1248 wrote to memory of 576	1248	net.exe	41
PID 1892 wrote to memory of 1076	1892	35ff457Rk.bin.exe	36
PID 1892 wrote to memory of 1076	1892	35ff457Rk.bin.exe	36
PID 1892 wrote to memory of 1076	1892	35ff457Rk.bin.exe	36
PID 1892 wrote to memory of 1076	1892	35ff457Rk.bin.exe	36
PID 912 wrote to memory of 1092	912	net.exe	37
PID 912 wrote to memory of 1092	912	net.exe	37
PID 912 wrote to memory of 1092	912	net.exe	37
PID 912 wrote to memory of 1092	912	net.exe	37
PID 2036 wrote to memory of 1452	2036	net.exe	40
PID 2036 wrote to memory of 1452	2036	net.exe	40
PID 2036 wrote to memory of 1452	2036	net.exe	40
PID 2036 wrote to memory of 1452	2036	net.exe	40
PID 1076 wrote to memory of 1012	1076	net.exe	42
PID 1076 wrote to memory of 1012	1076	net.exe	42
PID 1076 wrote to memory of 1012	1076	net.exe	42
PID 1076 wrote to memory of 1012	1076	net.exe	42

C:\Users\Admin\AppData\Local\Temp\35ff457Rk.bin.exe
"C:\Users\Admin\AppData\Local\Temp\35ff457Rk.bin.exe"
1⤵
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Users\Admin\AppData\Local\Temp\1073r.exe
  "C:\Users\Admin\AppData\Local\Temp\1073r.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Users\Admin\AppData\Local\Temp\qAAiwCztslan.exe
  "C:\Users\Admin\AppData\Local\Temp\qAAiwCztslan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:476
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:576
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1092
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1452
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/476-73-0x0000000035000000-0x0000000035054000-memory.dmp

Filesize
336KB

Download
memory/752-71-0x0000000035000000-0x0000000035054000-memory.dmp

Filesize
336KB

Download
memory/1892-61-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1892-59-0x0000000000220000-0x0000000000246000-memory.dmp

Filesize
152KB

Download
memory/1892-60-0x0000000035000000-0x0000000035054000-memory.dmp

Filesize
336KB

Download