hive | db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e

Resubmissions

30/11/2021, 13:37

211130-qxasbsacb8 10

30/11/2021, 13:35

211130-qvmzwafagn 10

30/11/2021, 13:31

211130-qstpmsfafq 10

Analysis

max time kernel
55s
max time network
128s
platform
windows10_x64
resource
win10-en-20211014
submitted
30/11/2021, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
Size

2.5MB
MD5

6c1665d8f03efdc96991956f4d7f310d
SHA1

bbbb0836a9f0d2525539d65669d35d8e528f96d1
SHA256

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e
SHA512

c633c67c5a8e2b5c856027475d0d0bb2075a6b2d54486e080c737d4dce7a71ffbd83acddcf60dc53854e72b91bf05e25c1e02a55fbd0b93ca66b61691d5b96b7

Score

10^/10

hive ransomware

Malware Config

Signatures

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-941723256-3451054534-3089625102-1000\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\msvcp120.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\javaws.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\ExpandConfirm.bat	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoCanary.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\javafx-src.zip	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe.vJ1qaGaEVnQJ656db5VQt92nZd8dnZVDHKQDN-9qkF4.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\ConvertUse.vsdx.vJ1qaGaEVnQJ656db5VQt2gKbpupDUgh9fnExRfjl3U.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\DenyGrant.snd.vJ1qaGaEVnQJ656db5VQt4R4N_LOMvl9n6V2HhEOFio.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\InstallRemove.mp4.vJ1qaGaEVnQJ656db5VQt4cq7Evh4AZ_U9ceQqxsMEA.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_CN.jar.vJ1qaGaEVnQJ656db5VQt18cAmCKR7ZMxU2AQiaDvSg.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\FlickLearningWizard.exe.mui	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.vJ1qaGaEVnQJ656db5VQt_YZA78LhRthYBEY1kG_mxY.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoCanary.png.vJ1qaGaEVnQJ656db5VQt2PASIp6VMI9Ma0MPyGhjjI.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.bat	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.security	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.vJ1qaGaEVnQJ656db5VQtz7HWtbUH-AjGLsmS0h1Vzk.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ca.pak	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hu.pak	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\content-types.properties	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt.vJ1qaGaEVnQJ656db5VQt6ZZRmY2ozEUi13f3veQDi4.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrusalm.dat	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jli.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.vJ1qaGaEVnQJ656db5VQt6k9Sx1rRTBvskulsizTzAw.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.vJ1qaGaEVnQJ656db5VQty_rDUUqGPISC9hnB8QLhVg.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.vJ1qaGaEVnQJ656db5VQt2RS7I-zH6w3OolWvn-yVD8.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\GetResolve.odp.vJ1qaGaEVnQJ656db5VQt8w7DJ8J6dNY85jDFQLmEUo.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\libGLESv2.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\LICENSE.vJ1qaGaEVnQJ656db5VQtwRqbECrSUhYryR42YtyiFE.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jvmti.h	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\jawt_md.h	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe.vJ1qaGaEVnQJ656db5VQtx4huDzLw98VNUBLrzh56x4.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe.vJ1qaGaEVnQJ656db5VQt9iaWS3eYZVhyb-JsgrwBGE.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\uk.pak	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt.vJ1qaGaEVnQJ656db5VQt7euTh-GHkcp-FDdahqILVw.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ar.pak.vJ1qaGaEVnQJ656db5VQt-uanOLMMrpQTbvgr1jLi1c.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_es.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
968	timeout.exe
1696	timeout.exe
680	timeout.exe
3736	timeout.exe
2208	timeout.exe
1364	timeout.exe
2412	timeout.exe
1500	timeout.exe
704	timeout.exe
2100	timeout.exe
2252	timeout.exe
4088	timeout.exe
876	timeout.exe
1260	timeout.exe
2908	timeout.exe
3780	timeout.exe
3520	timeout.exe
3176	timeout.exe
2376	timeout.exe
3032	timeout.exe
3824	timeout.exe
1944	timeout.exe
3264	timeout.exe
1876	timeout.exe
1964	timeout.exe
1368	timeout.exe
4000	timeout.exe
1008	timeout.exe
1724	timeout.exe
592	timeout.exe
3776	timeout.exe
3820	timeout.exe
3580	timeout.exe
2164	timeout.exe
508	timeout.exe
3200	timeout.exe
2396	timeout.exe
3824	timeout.exe
3472	timeout.exe
3852	timeout.exe
2664	timeout.exe
2400	timeout.exe
3180	timeout.exe
3032	timeout.exe
3956	timeout.exe
2420	timeout.exe
3448	timeout.exe
2528	timeout.exe
2640	timeout.exe
1368	timeout.exe
768	timeout.exe
808	timeout.exe
2868	timeout.exe
1176	timeout.exe
2124	timeout.exe
2440	timeout.exe
3172	timeout.exe
836	timeout.exe
3564	timeout.exe
1256	timeout.exe
3956	timeout.exe
3936	timeout.exe
2000	timeout.exe
1512	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3936	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2636	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
2636	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	424	vssvc.exe
Token: SeRestorePrivilege	424	vssvc.exe
Token: SeAuditPrivilege	424	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 660	2636	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	69
PID 2636 wrote to memory of 660	2636	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	69
PID 2636 wrote to memory of 660	2636	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	69
PID 2636 wrote to memory of 652	2636	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	70
PID 2636 wrote to memory of 652	2636	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	70
PID 2636 wrote to memory of 652	2636	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	70
PID 652 wrote to memory of 3936	652	cmd.exe	71
PID 652 wrote to memory of 3936	652	cmd.exe	71
PID 652 wrote to memory of 3936	652	cmd.exe	71
PID 660 wrote to memory of 3956	660	cmd.exe	72
PID 660 wrote to memory of 3956	660	cmd.exe	72
PID 660 wrote to memory of 3956	660	cmd.exe	72
PID 660 wrote to memory of 1176	660	cmd.exe	73
PID 660 wrote to memory of 1176	660	cmd.exe	73
PID 660 wrote to memory of 1176	660	cmd.exe	73
PID 660 wrote to memory of 2884	660	cmd.exe	75
PID 660 wrote to memory of 2884	660	cmd.exe	75
PID 660 wrote to memory of 2884	660	cmd.exe	75
PID 660 wrote to memory of 1508	660	cmd.exe	76
PID 660 wrote to memory of 1508	660	cmd.exe	76
PID 660 wrote to memory of 1508	660	cmd.exe	76
PID 660 wrote to memory of 680	660	cmd.exe	77
PID 660 wrote to memory of 680	660	cmd.exe	77
PID 660 wrote to memory of 680	660	cmd.exe	77
PID 660 wrote to memory of 412	660	cmd.exe	78
PID 660 wrote to memory of 412	660	cmd.exe	78
PID 660 wrote to memory of 412	660	cmd.exe	78
PID 660 wrote to memory of 720	660	cmd.exe	79
PID 660 wrote to memory of 720	660	cmd.exe	79
PID 660 wrote to memory of 720	660	cmd.exe	79
PID 660 wrote to memory of 684	660	cmd.exe	80
PID 660 wrote to memory of 684	660	cmd.exe	80
PID 660 wrote to memory of 684	660	cmd.exe	80
PID 660 wrote to memory of 1432	660	cmd.exe	81
PID 660 wrote to memory of 1432	660	cmd.exe	81
PID 660 wrote to memory of 1432	660	cmd.exe	81
PID 660 wrote to memory of 2440	660	cmd.exe	82
PID 660 wrote to memory of 2440	660	cmd.exe	82
PID 660 wrote to memory of 2440	660	cmd.exe	82
PID 660 wrote to memory of 984	660	cmd.exe	83
PID 660 wrote to memory of 984	660	cmd.exe	83
PID 660 wrote to memory of 984	660	cmd.exe	83
PID 660 wrote to memory of 4088	660	cmd.exe	84
PID 660 wrote to memory of 4088	660	cmd.exe	84
PID 660 wrote to memory of 4088	660	cmd.exe	84
PID 660 wrote to memory of 1256	660	cmd.exe	85
PID 660 wrote to memory of 1256	660	cmd.exe	85
PID 660 wrote to memory of 1256	660	cmd.exe	85
PID 660 wrote to memory of 892	660	cmd.exe	86
PID 660 wrote to memory of 892	660	cmd.exe	86
PID 660 wrote to memory of 892	660	cmd.exe	86
PID 660 wrote to memory of 4024	660	cmd.exe	87
PID 660 wrote to memory of 4024	660	cmd.exe	87
PID 660 wrote to memory of 4024	660	cmd.exe	87
PID 660 wrote to memory of 1244	660	cmd.exe	88
PID 660 wrote to memory of 1244	660	cmd.exe	88
PID 660 wrote to memory of 1244	660	cmd.exe	88
PID 660 wrote to memory of 4004	660	cmd.exe	89
PID 660 wrote to memory of 4004	660	cmd.exe	89
PID 660 wrote to memory of 4004	660	cmd.exe	89
PID 660 wrote to memory of 2332	660	cmd.exe	90
PID 660 wrote to memory of 2332	660	cmd.exe	90
PID 660 wrote to memory of 2332	660	cmd.exe	90
PID 660 wrote to memory of 2312	660	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
"C:\Users\Admin\AppData\Local\Temp\db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3956
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1176
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:680
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:412
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:720
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:684
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:984
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:892
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4004
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:508
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2252
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:876
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:836
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3640
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3196
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2164
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3820
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2908
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:592
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3852
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3956
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3572
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:412
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:720
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:368
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2528
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1256
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1368
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4004
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1364
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1944
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2124
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3472
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3400
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3264
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:968
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2412
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3824
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3736
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:872
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3564
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:916
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3128
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3936
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3780
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:376
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:696
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:684
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:368
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:768
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:948
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:508
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3608
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3520
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3400
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1724
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1876
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3196
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2664
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:648
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:592
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3528
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:400
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:852
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3572
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3144
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:412
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2440
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4088
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:372
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1964
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3776
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3172
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3264
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:968
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2376
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3536
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3448
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3640
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2868
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3860
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:732
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3580
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:604
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:376
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:696
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:704
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:504
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:768
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:892
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4004
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:972
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:396
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3032
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:876
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2400
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3864
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3824
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3800
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3736
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:808
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:916
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:680
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:716
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:604
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:720
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:372
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1368
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1696
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2208
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3316
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3892
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3400
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:876
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3244
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3176
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3200
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1008
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1260
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3820
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3740
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3180
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:872
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1500
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3956
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:400
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:604
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:376
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:696
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:704
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:504
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:768
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:892
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2420
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4004
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1512
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:972
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2100
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2396
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2640
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3316
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3032
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:928
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3864
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3824
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3800
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3736
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:808
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:916
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:680
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact