Analysis
-
max time kernel
181s -
max time network
231s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-02-2022 02:20
Static task
static1
Behavioral task
behavioral1
Sample
c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
Resource
win10v2004-en-20220113
General
-
Target
c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
-
Size
192KB
-
MD5
ac4845378d6e9585c758efeffe713857
-
SHA1
4febb67955fa4743db70dad7481702bb46f60d69
-
SHA256
c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10
-
SHA512
6edaf5e417087b428feaa81214bad3deab967462b6448f6252a413f839a32dcc40cd6be369284a8d940ad1b0804bbc6a85ae22a179af9d7a5cb780658009c874
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
ryuk
Extracted
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
ryuk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 1 IoCs
Processes:
pziWeTX.exepid process 1600 pziWeTX.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exepziWeTX.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation pziWeTX.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exepid process 1828 icacls.exe 3840 icacls.exe 1120 icacls.exe 628 icacls.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pziWeTX.exe" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exepziWeTX.exepid process 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe 1600 pziWeTX.exe 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe 1600 pziWeTX.exe 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exepziWeTX.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe Token: SeBackupPrivilege 1600 pziWeTX.exe Token: SeBackupPrivilege 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe Token: SeIncreaseQuotaPrivilege 1872 WMIC.exe Token: SeSecurityPrivilege 1872 WMIC.exe Token: SeTakeOwnershipPrivilege 1872 WMIC.exe Token: SeLoadDriverPrivilege 1872 WMIC.exe Token: SeSystemProfilePrivilege 1872 WMIC.exe Token: SeSystemtimePrivilege 1872 WMIC.exe Token: SeProfSingleProcessPrivilege 1872 WMIC.exe Token: SeIncBasePriorityPrivilege 1872 WMIC.exe Token: SeCreatePagefilePrivilege 1872 WMIC.exe Token: SeBackupPrivilege 1872 WMIC.exe Token: SeRestorePrivilege 1872 WMIC.exe Token: SeShutdownPrivilege 1872 WMIC.exe Token: SeDebugPrivilege 1872 WMIC.exe Token: SeSystemEnvironmentPrivilege 1872 WMIC.exe Token: SeRemoteShutdownPrivilege 1872 WMIC.exe Token: SeUndockPrivilege 1872 WMIC.exe Token: SeManageVolumePrivilege 1872 WMIC.exe Token: 33 1872 WMIC.exe Token: 34 1872 WMIC.exe Token: 35 1872 WMIC.exe Token: 36 1872 WMIC.exe Token: SeIncreaseQuotaPrivilege 5060 WMIC.exe Token: SeSecurityPrivilege 5060 WMIC.exe Token: SeTakeOwnershipPrivilege 5060 WMIC.exe Token: SeLoadDriverPrivilege 5060 WMIC.exe Token: SeSystemProfilePrivilege 5060 WMIC.exe Token: SeSystemtimePrivilege 5060 WMIC.exe Token: SeProfSingleProcessPrivilege 5060 WMIC.exe Token: SeIncBasePriorityPrivilege 5060 WMIC.exe Token: SeCreatePagefilePrivilege 5060 WMIC.exe Token: SeBackupPrivilege 5060 WMIC.exe Token: SeRestorePrivilege 5060 WMIC.exe Token: SeShutdownPrivilege 5060 WMIC.exe Token: SeDebugPrivilege 5060 WMIC.exe Token: SeSystemEnvironmentPrivilege 5060 WMIC.exe Token: SeRemoteShutdownPrivilege 5060 WMIC.exe Token: SeUndockPrivilege 5060 WMIC.exe Token: SeManageVolumePrivilege 5060 WMIC.exe Token: 33 5060 WMIC.exe Token: 34 5060 WMIC.exe Token: 35 5060 WMIC.exe Token: 36 5060 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exenet.exenet.exepziWeTX.exenet.exenet.execmd.execmd.exedescription pid process target process PID 4200 wrote to memory of 1600 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe pziWeTX.exe PID 4200 wrote to memory of 1600 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe pziWeTX.exe PID 4200 wrote to memory of 1600 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe pziWeTX.exe PID 4200 wrote to memory of 2396 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe sihost.exe PID 4200 wrote to memory of 1816 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe net.exe PID 4200 wrote to memory of 1816 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe net.exe PID 4200 wrote to memory of 1816 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe net.exe PID 1816 wrote to memory of 2776 1816 net.exe net1.exe PID 1816 wrote to memory of 2776 1816 net.exe net1.exe PID 1816 wrote to memory of 2776 1816 net.exe net1.exe PID 4200 wrote to memory of 3452 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe net.exe PID 4200 wrote to memory of 3452 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe net.exe PID 4200 wrote to memory of 3452 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe net.exe PID 3452 wrote to memory of 3360 3452 net.exe net1.exe PID 3452 wrote to memory of 3360 3452 net.exe net1.exe PID 3452 wrote to memory of 3360 3452 net.exe net1.exe PID 4200 wrote to memory of 2424 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe svchost.exe PID 4200 wrote to memory of 2508 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe taskhostw.exe PID 4200 wrote to memory of 3104 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe svchost.exe PID 4200 wrote to memory of 3296 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe DllHost.exe PID 4200 wrote to memory of 3396 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe StartMenuExperienceHost.exe PID 4200 wrote to memory of 3460 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe RuntimeBroker.exe PID 4200 wrote to memory of 3544 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe SearchApp.exe PID 4200 wrote to memory of 3772 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe RuntimeBroker.exe PID 4200 wrote to memory of 440 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe RuntimeBroker.exe PID 4200 wrote to memory of 4344 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe backgroundTaskHost.exe PID 4200 wrote to memory of 2724 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe RuntimeBroker.exe PID 1600 wrote to memory of 1828 1600 pziWeTX.exe icacls.exe PID 1600 wrote to memory of 1828 1600 pziWeTX.exe icacls.exe PID 1600 wrote to memory of 1828 1600 pziWeTX.exe icacls.exe PID 4200 wrote to memory of 3840 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe icacls.exe PID 4200 wrote to memory of 3840 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe icacls.exe PID 4200 wrote to memory of 3840 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe icacls.exe PID 4200 wrote to memory of 628 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe icacls.exe PID 4200 wrote to memory of 628 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe icacls.exe PID 4200 wrote to memory of 628 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe icacls.exe PID 1600 wrote to memory of 1120 1600 pziWeTX.exe icacls.exe PID 1600 wrote to memory of 1120 1600 pziWeTX.exe icacls.exe PID 1600 wrote to memory of 1120 1600 pziWeTX.exe icacls.exe PID 4200 wrote to memory of 2380 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe cmd.exe PID 4200 wrote to memory of 2380 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe cmd.exe PID 4200 wrote to memory of 2380 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe cmd.exe PID 1600 wrote to memory of 1108 1600 pziWeTX.exe cmd.exe PID 1600 wrote to memory of 1108 1600 pziWeTX.exe cmd.exe PID 1600 wrote to memory of 1108 1600 pziWeTX.exe cmd.exe PID 4200 wrote to memory of 2228 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe net.exe PID 4200 wrote to memory of 2228 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe net.exe PID 4200 wrote to memory of 2228 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe net.exe PID 2228 wrote to memory of 4268 2228 net.exe net1.exe PID 2228 wrote to memory of 4268 2228 net.exe net1.exe PID 2228 wrote to memory of 4268 2228 net.exe net1.exe PID 4200 wrote to memory of 4300 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe cmd.exe PID 4200 wrote to memory of 4300 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe cmd.exe PID 4200 wrote to memory of 4300 4200 c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe cmd.exe PID 1600 wrote to memory of 848 1600 pziWeTX.exe net.exe PID 1600 wrote to memory of 848 1600 pziWeTX.exe net.exe PID 1600 wrote to memory of 848 1600 pziWeTX.exe net.exe PID 848 wrote to memory of 1164 848 net.exe net1.exe PID 848 wrote to memory of 1164 848 net.exe net1.exe PID 848 wrote to memory of 1164 848 net.exe net1.exe PID 4300 wrote to memory of 1656 4300 cmd.exe reg.exe PID 4300 wrote to memory of 1656 4300 cmd.exe reg.exe PID 4300 wrote to memory of 1656 4300 cmd.exe reg.exe PID 2380 wrote to memory of 1872 2380 cmd.exe WMIC.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe"C:\Users\Admin\AppData\Local\Temp\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pziWeTX.exe"C:\Users\Admin\AppData\Local\Temp\pziWeTX.exe" 8 LAN2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c "WMIC.exe shadowcopy delet"3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC.exe shadowcopy delet4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\pziWeTX.exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\pziWeTX.exe" /f /reg:644⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c "WMIC.exe shadowcopy delet"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC.exe shadowcopy delet3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe" /f /reg:642⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04fMD5
93a5aadeec082ffc1bca5aa27af70f52
SHA147a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45
-
C:\RyukReadMe.htmlMD5
b8d47880de3aa1b3e8ebcfa62510b0f1
SHA1541e9a0841cfc17d7a61eb89973359a75ec64aaa
SHA2566f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73
SHA512cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702
-
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.htmlMD5
b8d47880de3aa1b3e8ebcfa62510b0f1
SHA1541e9a0841cfc17d7a61eb89973359a75ec64aaa
SHA2566f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73
SHA512cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702
-
C:\Users\Admin\AppData\Local\Temp\pziWeTX.exeMD5
ac4845378d6e9585c758efeffe713857
SHA14febb67955fa4743db70dad7481702bb46f60d69
SHA256c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10
SHA5126edaf5e417087b428feaa81214bad3deab967462b6448f6252a413f839a32dcc40cd6be369284a8d940ad1b0804bbc6a85ae22a179af9d7a5cb780658009c874
-
C:\Users\Admin\AppData\Local\Temp\pziWeTX.exeMD5
ac4845378d6e9585c758efeffe713857
SHA14febb67955fa4743db70dad7481702bb46f60d69
SHA256c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10
SHA5126edaf5e417087b428feaa81214bad3deab967462b6448f6252a413f839a32dcc40cd6be369284a8d940ad1b0804bbc6a85ae22a179af9d7a5cb780658009c874
-
C:\Users\RyukReadMe.htmlMD5
b8d47880de3aa1b3e8ebcfa62510b0f1
SHA1541e9a0841cfc17d7a61eb89973359a75ec64aaa
SHA2566f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73
SHA512cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702