hive | db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e

Resubmissions

30/11/2021, 13:37

211130-qxasbsacb8 10

30/11/2021, 13:35

211130-qvmzwafagn 10

30/11/2021, 13:31

211130-qstpmsfafq 10

Analysis

max time kernel
47s
max time network
147s
platform
windows10_x64
resource
win10-en-20211014
submitted
30/11/2021, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
Size

2.5MB
MD5

6c1665d8f03efdc96991956f4d7f310d
SHA1

bbbb0836a9f0d2525539d65669d35d8e528f96d1
SHA256

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e
SHA512

c633c67c5a8e2b5c856027475d0d0bb2075a6b2d54486e080c737d4dce7a71ffbd83acddcf60dc53854e72b91bf05e25c1e02a55fbd0b93ca66b61691d5b96b7

Score

10^/10

hive ransomware

Malware Config

Signatures

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-941723256-3451054534-3089625102-1000\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt.wTKzPHiVCfwzB9qpW_e7NoXfA2ODuZVBZ7WAvpj9WkU.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.wTKzPHiVCfwzB9qpW_e7NnOL63rq6m1xuqBUVaJU-iQ.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\correct.avi	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME.txt.wTKzPHiVCfwzB9qpW_e7Nj7OPIpAUrxUDKUSRrQ8KEs.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMK.TTF	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OFFREL.DLL	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\j2pkcs11.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-pl.xrm-ms	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.wTKzPHiVCfwzB9qpW_e7NrwzYtylogMmql8E4iT7Ujs.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_zh_CN.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc_sb64.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.ConnectionUI.Dialog.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sv.pak.wTKzPHiVCfwzB9qpW_e7NqdjfSPY7GAHL3WD9PzOIQE.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.ecore_2.10.1.v20140901-1043.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.Edm.NetFX35.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalResume.dotx	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\logging.properties	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\fxplugins.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adovbs.inc	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoDev.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4.ssl_1.0.0.v20140827-1444.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OSFSHARED.DLL	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\msmgdsrv_xl.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ppd.xrm-ms	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\odffilt.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\IACOM2.DLL	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\PREVIEW.GIF	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-core-kit.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\zlibwapi.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcr120.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_cs.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodicon.gif	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\boot_zh_CN.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
3900	timeout.exe
3948	timeout.exe
3236	timeout.exe
1212	timeout.exe
1692	timeout.exe
3436	timeout.exe
4080	timeout.exe
4080	timeout.exe
2816	timeout.exe
3540	timeout.exe
2400	timeout.exe
2892	timeout.exe
2596	timeout.exe
1176	timeout.exe
932	timeout.exe
4076	timeout.exe
3092	timeout.exe
1932	timeout.exe
1524	timeout.exe
3656	timeout.exe
1856	timeout.exe
3212	timeout.exe
1056	timeout.exe
3048	timeout.exe
1372	timeout.exe
3020	timeout.exe
2888	timeout.exe
64	timeout.exe
2232	timeout.exe
2956	timeout.exe
3276	timeout.exe
2776	timeout.exe
4080	timeout.exe
840	timeout.exe
2196	timeout.exe
892	timeout.exe
2320	timeout.exe
1804	timeout.exe
3828	timeout.exe
2400	timeout.exe
2328	timeout.exe
2968	timeout.exe
4084	timeout.exe
3108	timeout.exe
3980	timeout.exe
2732	timeout.exe
3560	timeout.exe
2648	timeout.exe
3492	timeout.exe
3504	timeout.exe
824	timeout.exe
2320	timeout.exe
3276	timeout.exe
1200	timeout.exe
3836	timeout.exe
924	timeout.exe
368	timeout.exe
1308	timeout.exe
988	timeout.exe
748	timeout.exe
1964	timeout.exe
2296	timeout.exe
1008	timeout.exe
2356	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3900	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2692	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
2692	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2580	vssvc.exe
Token: SeRestorePrivilege	2580	vssvc.exe
Token: SeAuditPrivilege	2580	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 1960	2692	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	70
PID 2692 wrote to memory of 1960	2692	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	70
PID 2692 wrote to memory of 1960	2692	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	70
PID 2692 wrote to memory of 3176	2692	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	71
PID 2692 wrote to memory of 3176	2692	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	71
PID 2692 wrote to memory of 3176	2692	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	71
PID 1960 wrote to memory of 4080	1960	cmd.exe	73
PID 1960 wrote to memory of 4080	1960	cmd.exe	73
PID 1960 wrote to memory of 4080	1960	cmd.exe	73
PID 3176 wrote to memory of 3900	3176	cmd.exe	72
PID 3176 wrote to memory of 3900	3176	cmd.exe	72
PID 3176 wrote to memory of 3900	3176	cmd.exe	72
PID 1960 wrote to memory of 2816	1960	cmd.exe	74
PID 1960 wrote to memory of 2816	1960	cmd.exe	74
PID 1960 wrote to memory of 2816	1960	cmd.exe	74
PID 1960 wrote to memory of 1640	1960	cmd.exe	76
PID 1960 wrote to memory of 1640	1960	cmd.exe	76
PID 1960 wrote to memory of 1640	1960	cmd.exe	76
PID 1960 wrote to memory of 676	1960	cmd.exe	77
PID 1960 wrote to memory of 676	1960	cmd.exe	77
PID 1960 wrote to memory of 676	1960	cmd.exe	77
PID 1960 wrote to memory of 704	1960	cmd.exe	78
PID 1960 wrote to memory of 704	1960	cmd.exe	78
PID 1960 wrote to memory of 704	1960	cmd.exe	78
PID 1960 wrote to memory of 1228	1960	cmd.exe	79
PID 1960 wrote to memory of 1228	1960	cmd.exe	79
PID 1960 wrote to memory of 1228	1960	cmd.exe	79
PID 1960 wrote to memory of 1284	1960	cmd.exe	80
PID 1960 wrote to memory of 1284	1960	cmd.exe	80
PID 1960 wrote to memory of 1284	1960	cmd.exe	80
PID 1960 wrote to memory of 3396	1960	cmd.exe	81
PID 1960 wrote to memory of 3396	1960	cmd.exe	81
PID 1960 wrote to memory of 3396	1960	cmd.exe	81
PID 1960 wrote to memory of 1712	1960	cmd.exe	82
PID 1960 wrote to memory of 1712	1960	cmd.exe	82
PID 1960 wrote to memory of 1712	1960	cmd.exe	82
PID 1960 wrote to memory of 2460	1960	cmd.exe	83
PID 1960 wrote to memory of 2460	1960	cmd.exe	83
PID 1960 wrote to memory of 2460	1960	cmd.exe	83
PID 1960 wrote to memory of 1420	1960	cmd.exe	84
PID 1960 wrote to memory of 1420	1960	cmd.exe	84
PID 1960 wrote to memory of 1420	1960	cmd.exe	84
PID 1960 wrote to memory of 892	1960	cmd.exe	85
PID 1960 wrote to memory of 892	1960	cmd.exe	85
PID 1960 wrote to memory of 892	1960	cmd.exe	85
PID 1960 wrote to memory of 1248	1960	cmd.exe	86
PID 1960 wrote to memory of 1248	1960	cmd.exe	86
PID 1960 wrote to memory of 1248	1960	cmd.exe	86
PID 1960 wrote to memory of 2132	1960	cmd.exe	87
PID 1960 wrote to memory of 2132	1960	cmd.exe	87
PID 1960 wrote to memory of 2132	1960	cmd.exe	87
PID 1960 wrote to memory of 4040	1960	cmd.exe	88
PID 1960 wrote to memory of 4040	1960	cmd.exe	88
PID 1960 wrote to memory of 4040	1960	cmd.exe	88
PID 1960 wrote to memory of 1308	1960	cmd.exe	89
PID 1960 wrote to memory of 1308	1960	cmd.exe	89
PID 1960 wrote to memory of 1308	1960	cmd.exe	89
PID 1960 wrote to memory of 2356	1960	cmd.exe	90
PID 1960 wrote to memory of 2356	1960	cmd.exe	90
PID 1960 wrote to memory of 2356	1960	cmd.exe	90
PID 1960 wrote to memory of 1596	1960	cmd.exe	91
PID 1960 wrote to memory of 1596	1960	cmd.exe	91
PID 1960 wrote to memory of 1596	1960	cmd.exe	91
PID 1960 wrote to memory of 2268	1960	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
"C:\Users\Admin\AppData\Local\Temp\db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4080
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2816
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:676
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:704
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:892
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1308
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2356
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3020
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3504
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:932
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3856
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:652
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1804
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:60
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:676
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4068
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:672
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:824
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:840
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:896
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2320
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1856
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3108
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3948
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4076
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3276
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:932
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3236
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3212
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3836
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:988
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2888
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:748
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:64
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:676
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3828
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:672
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1212
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:588
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:424
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:824
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:892
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1056
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3108
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1964
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2296
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2400
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2776
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4076
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3276
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3048
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1200
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2232
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:932
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2328
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1372
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3236
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2956
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3836
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:988
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1008
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:748
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3980
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:924
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:392
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2648
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3988
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:844
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:920
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:896
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1692
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3436
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3528
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3092
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:368
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:952
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3492
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1932
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2968
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:696
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4080
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4084
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:60
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3560
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3540
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3900
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4068
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1524
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:588
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:824
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:892
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2400
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2892
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4076
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3276
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:352
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:836
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3656
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2732
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:696
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1176
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4080
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:60
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2596
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3560
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3540
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3900
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4068
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:672
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3988
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:876
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:840
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:896
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2196
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact