4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6

Resubmissions

12/12/2024, 19:32

241212-x9e15svnbv 10

12/12/2024, 19:32

241212-x8638sxjep 9

12/12/2024, 19:19

241212-x1wyaswqbq 10

Analysis

max time kernel
5s
max time network
4s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
12/12/2024, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe
Size

624KB
MD5

84b88ac81e4872ff3bf15c72f431d101
SHA1

0823d067541de16325e5454a91b57262365a0705
SHA256

4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6
SHA512

185691b0103669c5aa25b22c36f29ddb66f074e0f2e3ae6a36ed8917c35f1fba71fba65c11c3211ce64f6c5919ac879ce0fdcc4dddae420cbecf40711dff1860
SSDEEP

12288:V4eCA30wfnlxvaUwZNf6qYID7ZJuIQOsknZh20QyCkje0ZM7qgbGKTO7muYpralU:3C8valgsDyfSBKXyMUkW2LILGBm3IzPB

Score

3^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4556	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4556	powershell.exe
4556	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4556	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 4556	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	84
PID 4704 wrote to memory of 4556	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	84
PID 4704 wrote to memory of 4556	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	84
PID 4704 wrote to memory of 2328	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	87
PID 4704 wrote to memory of 2328	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	87
PID 4704 wrote to memory of 2328	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	87
PID 2328 wrote to memory of 3328	2328	net.exe	89
PID 2328 wrote to memory of 3328	2328	net.exe	89
PID 2328 wrote to memory of 3328	2328	net.exe	89
PID 4704 wrote to memory of 3980	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	90
PID 4704 wrote to memory of 3980	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	90
PID 4704 wrote to memory of 3980	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	90
PID 3980 wrote to memory of 1900	3980	net.exe	92
PID 3980 wrote to memory of 1900	3980	net.exe	92
PID 3980 wrote to memory of 1900	3980	net.exe	92
PID 4704 wrote to memory of 456	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	93
PID 4704 wrote to memory of 456	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	93
PID 4704 wrote to memory of 456	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	93
PID 456 wrote to memory of 3900	456	net.exe	95
PID 456 wrote to memory of 3900	456	net.exe	95
PID 456 wrote to memory of 3900	456	net.exe	95
PID 4704 wrote to memory of 4300	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	96
PID 4704 wrote to memory of 4300	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	96
PID 4704 wrote to memory of 4300	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	96
PID 4300 wrote to memory of 2836	4300	net.exe	98
PID 4300 wrote to memory of 2836	4300	net.exe	98
PID 4300 wrote to memory of 2836	4300	net.exe	98
PID 4704 wrote to memory of 1828	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	99
PID 4704 wrote to memory of 1828	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	99
PID 4704 wrote to memory of 1828	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	99
PID 1828 wrote to memory of 1076	1828	net.exe	101
PID 1828 wrote to memory of 1076	1828	net.exe	101
PID 1828 wrote to memory of 1076	1828	net.exe	101
PID 4704 wrote to memory of 2036	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	102
PID 4704 wrote to memory of 2036	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	102
PID 4704 wrote to memory of 2036	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	102
PID 2036 wrote to memory of 4324	2036	net.exe	104
PID 2036 wrote to memory of 4324	2036	net.exe	104
PID 2036 wrote to memory of 4324	2036	net.exe	104
PID 4704 wrote to memory of 4612	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	105
PID 4704 wrote to memory of 4612	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	105
PID 4704 wrote to memory of 4612	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	105
PID 4612 wrote to memory of 1140	4612	net.exe	107
PID 4612 wrote to memory of 1140	4612	net.exe	107
PID 4612 wrote to memory of 1140	4612	net.exe	107
PID 4704 wrote to memory of 1932	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	108
PID 4704 wrote to memory of 1932	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	108
PID 4704 wrote to memory of 1932	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	108
PID 1932 wrote to memory of 4488	1932	net.exe	110
PID 1932 wrote to memory of 4488	1932	net.exe	110
PID 1932 wrote to memory of 4488	1932	net.exe	110
PID 4704 wrote to memory of 2712	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	111
PID 4704 wrote to memory of 2712	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	111
PID 4704 wrote to memory of 2712	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	111
PID 2712 wrote to memory of 3008	2712	net.exe	113
PID 2712 wrote to memory of 3008	2712	net.exe	113
PID 2712 wrote to memory of 3008	2712	net.exe	113
PID 4704 wrote to memory of 4028	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	114
PID 4704 wrote to memory of 4028	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	114
PID 4704 wrote to memory of 4028	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	114
PID 4028 wrote to memory of 848	4028	net.exe	116
PID 4028 wrote to memory of 848	4028	net.exe	116
PID 4028 wrote to memory of 848	4028	net.exe	116
PID 4704 wrote to memory of 4780	4704	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe	117

C:\Users\Admin\AppData\Local\Temp\4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe
"C:\Users\Admin\AppData\Local\Temp\4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& { }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- C:\Windows\SysWOW64\net.exe
  net stop "Acronis VSS Provider" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3328
- C:\Windows\SysWOW64\net.exe
  net stop "Enterprise Client Service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Enterprise Client Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1900
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Agent" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Agent" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3900
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos AutoUpdate Service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Clean Service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Clean Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1076
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Device Control Service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4324
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos File Scanner Service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1140
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Health Service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Health Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4488
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos MCS Agent" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3008
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos MCS Client" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Client" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:848
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Message Router" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4780
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Message Router" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2972
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Safestore Service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:896
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos System Protection Service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4576
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1124
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Web Control Service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1592
- C:\Windows\SysWOW64\net.exe
  net stop "SQLsafe Backup Service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4808
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- C:\Windows\SysWOW64\net.exe
  net stop "SQLsafe Filter Service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1964
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4792
- C:\Windows\SysWOW64\net.exe
  net stop "Symantec System Recovery" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Symantec System Recovery" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:780
- C:\Windows\SysWOW64\net.exe
  net stop "Veeam Backup Catalog Data Service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3760
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3496
- C:\Windows\SysWOW64\net.exe
  net stop "AcronisAgent" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4696
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AcronisAgent" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4660
- C:\Windows\SysWOW64\net.exe
  net stop "AcrSch2Svc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2060
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AcrSch2Svc" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2140
- C:\Windows\SysWOW64\net.exe
  net stop "Antivirus" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:728
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Antivirus" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:948
- C:\Windows\SysWOW64\net.exe
  net stop "ARSM" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4316
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ARSM" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4268
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecAgentAccelerator" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3168
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:840
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecAgentBrowser" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3992
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecAgentBrowser" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3164
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecDeviceMediaService" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3128
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3076
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecJobEngine" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:440
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecJobEngine" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4364
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecManagementService" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2272
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecManagementService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:724
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecRPCService" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4552
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecRPCService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2116
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecVSSProvider" /y
  2⤵
  PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s23x3rec.fkb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4556-0-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/4556-1-0x0000000002100000-0x0000000002136000-memory.dmp

Filesize
216KB

Download
memory/4556-3-0x0000000004D70000-0x000000000543A000-memory.dmp

Filesize
6.8MB

Download
memory/4556-2-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download
memory/4556-4-0x0000000004CA0000-0x0000000004CC2000-memory.dmp

Filesize
136KB

Download
memory/4556-10-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/4556-15-0x00000000055B0000-0x0000000005616000-memory.dmp

Filesize
408KB

Download
memory/4556-16-0x0000000005620000-0x0000000005977000-memory.dmp

Filesize
3.3MB

Download
memory/4556-17-0x0000000005AA0000-0x0000000005ABE000-memory.dmp

Filesize
120KB

Download
memory/4556-18-0x0000000005AD0000-0x0000000005B1C000-memory.dmp

Filesize
304KB

Download
memory/4556-21-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download