ryuk | a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622

Analysis

max time kernel
167s
max time network
144s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
Size

208KB
MD5

fb61f86d2ea604337ff2da9aaf4585c6
SHA1

c5c63525bda35a317348adf7f2bd7eae9dee6de8
SHA256

a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622
SHA512

a8f03d7c63f974556b9c7a2ec12ddc14b7f6124f8ec74520afb0a00e124fc932f07050d1ae64d5be600d08bc5f518a7c458d5ae4813234c32e6ed6b3a982bc69

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
1172	taskhost.exe
1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
1172	taskhost.exe
1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
1172	taskhost.exe
1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
Token: SeBackupPrivilege	1172	taskhost.exe
Token: SeBackupPrivilege	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 1172	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	16
PID 1548 wrote to memory of 1308	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	15
PID 1548 wrote to memory of 648	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	27
PID 1548 wrote to memory of 648	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	27
PID 1548 wrote to memory of 648	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	27
PID 1548 wrote to memory of 848	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	29
PID 1548 wrote to memory of 848	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	29
PID 1548 wrote to memory of 848	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	29
PID 648 wrote to memory of 972	648	net.exe	32
PID 648 wrote to memory of 972	648	net.exe	32
PID 648 wrote to memory of 972	648	net.exe	32
PID 848 wrote to memory of 1676	848	net.exe	31
PID 848 wrote to memory of 1676	848	net.exe	31
PID 848 wrote to memory of 1676	848	net.exe	31
PID 1172 wrote to memory of 716	1172	taskhost.exe	34
PID 1172 wrote to memory of 716	1172	taskhost.exe	34
PID 1172 wrote to memory of 716	1172	taskhost.exe	34
PID 716 wrote to memory of 960	716	net.exe	35
PID 716 wrote to memory of 960	716	net.exe	35
PID 716 wrote to memory of 960	716	net.exe	35
PID 1172 wrote to memory of 1568	1172	taskhost.exe	36
PID 1172 wrote to memory of 1568	1172	taskhost.exe	36
PID 1172 wrote to memory of 1568	1172	taskhost.exe	36
PID 1568 wrote to memory of 1540	1568	net.exe	38
PID 1568 wrote to memory of 1540	1568	net.exe	38
PID 1568 wrote to memory of 1540	1568	net.exe	38
PID 1548 wrote to memory of 1480	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	39
PID 1548 wrote to memory of 1480	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	39
PID 1548 wrote to memory of 1480	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	39
PID 1480 wrote to memory of 1228	1480	net.exe	41
PID 1480 wrote to memory of 1228	1480	net.exe	41
PID 1480 wrote to memory of 1228	1480	net.exe	41
PID 1548 wrote to memory of 5012	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	44
PID 1548 wrote to memory of 5012	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	44
PID 1548 wrote to memory of 5012	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	44
PID 5012 wrote to memory of 5036	5012	net.exe	46
PID 5012 wrote to memory of 5036	5012	net.exe	46
PID 5012 wrote to memory of 5036	5012	net.exe	46
PID 1172 wrote to memory of 5232	1172	taskhost.exe	47
PID 1172 wrote to memory of 5232	1172	taskhost.exe	47
PID 1172 wrote to memory of 5232	1172	taskhost.exe	47
PID 5232 wrote to memory of 5260	5232	net.exe	49
PID 5232 wrote to memory of 5260	5232	net.exe	49
PID 5232 wrote to memory of 5260	5232	net.exe	49
PID 1548 wrote to memory of 5268	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	50
PID 1548 wrote to memory of 5268	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	50
PID 1548 wrote to memory of 5268	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	50
PID 5268 wrote to memory of 5296	5268	net.exe	52
PID 5268 wrote to memory of 5296	5268	net.exe	52
PID 5268 wrote to memory of 5296	5268	net.exe	52
PID 1548 wrote to memory of 16756	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	53
PID 1548 wrote to memory of 16756	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	53
PID 1548 wrote to memory of 16756	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	53
PID 16756 wrote to memory of 16780	16756	net.exe	55
PID 16756 wrote to memory of 16780	16756	net.exe	55
PID 16756 wrote to memory of 16780	16756	net.exe	55
PID 1172 wrote to memory of 16796	1172	taskhost.exe	56
PID 1172 wrote to memory of 16796	1172	taskhost.exe	56
PID 1172 wrote to memory of 16796	1172	taskhost.exe	56
PID 1548 wrote to memory of 16824	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	58
PID 1548 wrote to memory of 16824	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	58
PID 1548 wrote to memory of 16824	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	58
PID 16796 wrote to memory of 16840	16796	net.exe	60
PID 16796 wrote to memory of 16840	16796	net.exe	60

C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
"C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:972
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1676
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1228
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5036
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5268
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5296
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:16756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:16780
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:16824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:16856

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1308

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:960
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1540
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5232
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5260
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:16796
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:16840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-56-0x000000013FA60000-0x000000013FD3C000-memory.dmp

Filesize
2.9MB

Download
memory/1172-57-0x000000013FA60000-0x000000013FD3C000-memory.dmp

Filesize
2.9MB

Download
memory/1308-59-0x000000013FA60000-0x000000013FD3C000-memory.dmp

Filesize
2.9MB

Download
memory/1548-55-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

Filesize
8KB

Download