39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d

General

Target

830004.exe
Size

691KB
MD5

58aea2aac89947773dfae8e3859e20b0
SHA1

be17c41c65703f9475e36dff55fd3de220e395f3
SHA256

39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d
SHA512

f3d43c0759b05b949498cc63084b54b869c228a427f1590a1010007b4bdbebf760145a29e5f1a7c5585133ed76a3c1a5d7bf2ace46858ac9a48ff5c05eafa6eb
SSDEEP

12288:i0iads6yn93ySQDWYgeWYg955/155/m6q5iKn3zMCO342FoqdXS:dicFyn93ySQJ5f34Jo2Fi

Score

9^/10

persistence ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

830004.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SendSync.tiff => C:\Users\Admin\Pictures\SendSync.tiff.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\SendSync.tiff.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\GroupResolve.png.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\HideApprove.png => C:\Users\Admin\Pictures\HideApprove.png.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\HideApprove.png.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\LockBackup.raw.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\LockInitialize.png => C:\Users\Admin\Pictures\LockInitialize.png.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\GroupResolve.png => C:\Users\Admin\Pictures\GroupResolve.png.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\LockBackup.raw => C:\Users\Admin\Pictures\LockBackup.raw.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\LockInitialize.png.crypt	830004.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\830004.exe"	reg.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

830004.exe

description	ioc	process
File opened (read-only)	\??\G:	830004.exe
File opened (read-only)	\??\J:	830004.exe
File opened (read-only)	\??\K:	830004.exe
File opened (read-only)	\??\M:	830004.exe
File opened (read-only)	\??\N:	830004.exe
File opened (read-only)	\??\R:	830004.exe
File opened (read-only)	\??\A:	830004.exe
File opened (read-only)	\??\E:	830004.exe
File opened (read-only)	\??\W:	830004.exe
File opened (read-only)	\??\X:	830004.exe
File opened (read-only)	\??\S:	830004.exe
File opened (read-only)	\??\U:	830004.exe
File opened (read-only)	\??\I:	830004.exe
File opened (read-only)	\??\O:	830004.exe
File opened (read-only)	\??\T:	830004.exe
File opened (read-only)	\??\V:	830004.exe
File opened (read-only)	\??\B:	830004.exe
File opened (read-only)	\??\P:	830004.exe
File opened (read-only)	\??\L:	830004.exe
File opened (read-only)	\??\Q:	830004.exe
File opened (read-only)	\??\Y:	830004.exe
File opened (read-only)	\??\Z:	830004.exe
File opened (read-only)	\??\F:	830004.exe
File opened (read-only)	\??\H:	830004.exe

Drops file in Program Files directory 64 IoCs

Processes:

830004.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\de-DE\View3d\3DViewerProductDescription-universal.xml.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\2.jpg.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-72_altform-lightunplated.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\MSFT_PackageManagement.psm1.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-100.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-125_contrast-black.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-400.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\DarkGray.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96_contrast-high.png.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-down_32.svg.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\ui-strings.js.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proof.fr-fr.msi.16.fr-fr.tree.dat.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_move_18.svg.crypt	830004.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Incoming_Video_Available.m4a.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-150_contrast-black.png.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-ms.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_contrast-black.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-64.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-32.png.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyCalendarSearch.scale-200.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\MSFT_PackageManagementSource.strings.psd1.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fi-fi\ui-strings.js.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_SplashScreen.scale-200.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookWideTile.scale-100.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\sr-cyrl-cs\mso.acl.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_contrast-black.png.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\selector.js.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\MicrosoftSolitaireSmallTile.scale-125.jpg.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.2140f8bb.pri.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ppd.xrm-ms.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\PREVIEW.GIF.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-200_contrast-high.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\2876_20x20x32.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-16_altform-lightunplated.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60_altform-lightunplated.png.crypt	830004.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_et.json.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Logo.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedSplash.scale-100.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-unplated.png.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoInternetConnection_120x80.svg.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pl-pl\ui-strings.js.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\da-dk\ui-strings.js.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.boot.tree.dat.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\SmallTile.scale-200.png.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Be.Tests.ps1.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200_contrast-white.png.crypt	830004.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
5064	timeout.exe
1036	timeout.exe
1156	timeout.exe
5100	timeout.exe
4996	timeout.exe
2464	timeout.exe
1596	timeout.exe
4880	timeout.exe
4888	timeout.exe
3312	timeout.exe
3964	timeout.exe
4336	timeout.exe
396	timeout.exe
4036	timeout.exe
1692	timeout.exe
380	timeout.exe
3992	timeout.exe
4576	timeout.exe
3952	timeout.exe
2348	timeout.exe
1796	timeout.exe
3540	timeout.exe
544	timeout.exe
8	timeout.exe
3292	timeout.exe
3128	timeout.exe
3124	timeout.exe
376	timeout.exe
4640	timeout.exe
3352	timeout.exe
436	timeout.exe
4684	timeout.exe
5072	timeout.exe
2056	timeout.exe
3904	timeout.exe
4036	timeout.exe
3888	timeout.exe
2100	timeout.exe
2960	timeout.exe
1116	timeout.exe
636	timeout.exe
208	timeout.exe
4904	timeout.exe
3444	timeout.exe
4260	timeout.exe
4548	timeout.exe
4704	timeout.exe
732	timeout.exe
452	timeout.exe
1600	timeout.exe
2416	timeout.exe
4712	timeout.exe
3052	timeout.exe
2100	timeout.exe
3112	timeout.exe
3476	timeout.exe
5032	timeout.exe
1872	timeout.exe
3068	timeout.exe
4380	timeout.exe
2656	timeout.exe
4064	timeout.exe
2928	timeout.exe
1232	timeout.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
4276	tasklist.exe
1096	tasklist.exe
2480	tasklist.exe
4560	tasklist.exe
1796	tasklist.exe
1868	tasklist.exe
2712	tasklist.exe
4588	tasklist.exe
3420	tasklist.exe
3980	tasklist.exe
3148	tasklist.exe
3420	tasklist.exe
4308	tasklist.exe
3912	tasklist.exe
4896	tasklist.exe
3688	tasklist.exe
3712	tasklist.exe
528	tasklist.exe
5116	tasklist.exe
3472	tasklist.exe
4564	tasklist.exe
1684	tasklist.exe
2236	tasklist.exe
5116	tasklist.exe
3664	tasklist.exe
540	tasklist.exe
1116	tasklist.exe
4960	tasklist.exe
4972	tasklist.exe
2984	tasklist.exe
4696	tasklist.exe
2696	tasklist.exe
3692	tasklist.exe
2484	tasklist.exe
2724	tasklist.exe
4292	tasklist.exe
4588	tasklist.exe
616	tasklist.exe
1812	tasklist.exe
4932	tasklist.exe
3552	tasklist.exe
1888	tasklist.exe
4612	tasklist.exe
4644	tasklist.exe
2292	tasklist.exe
3540	tasklist.exe
160	tasklist.exe
3976	tasklist.exe
3464	tasklist.exe
4292	tasklist.exe
1168	tasklist.exe
1668	tasklist.exe
3120	tasklist.exe
860	tasklist.exe
2252	tasklist.exe
204	tasklist.exe
5024	tasklist.exe
2788	tasklist.exe
4716	tasklist.exe
632	tasklist.exe
1512	tasklist.exe
2276	tasklist.exe
3008	tasklist.exe
4440	tasklist.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4936 vssadmin.exe

pid	process
4936	vssadmin.exe

Kills process with taskkill 10 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2060	taskkill.exe
4536	taskkill.exe
984	taskkill.exe
5020	taskkill.exe
4216	taskkill.exe
4072	taskkill.exe
3420	taskkill.exe
1668	taskkill.exe
2292	taskkill.exe
1524	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 20 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4896 reg.exe
Runs net.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

1952 explorer.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1952 explorer.exe

pid	process
4896	reg.exe

pid	process
1952	explorer.exe

pid	process
1952	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

830004.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	2220	830004.exe
Token: SeBackupPrivilege	2220	830004.exe
Token: SeRestorePrivilege	2220	830004.exe
Token: 35	2220	830004.exe
Token: SeSecurityPrivilege	2220	830004.exe
Token: SeManageVolumePrivilege	2220	830004.exe
Token: 32	2220	830004.exe
Token: SeTcbPrivilege	2220	830004.exe
Token: SeSystemProfilePrivilege	2220	830004.exe
Token: SeTakeOwnershipPrivilege	2220	830004.exe
Token: SeDebugPrivilege	4820	tasklist.exe
Token: SeDebugPrivilege	3464	tasklist.exe
Token: SeDebugPrivilege	1700	tasklist.exe
Token: SeDebugPrivilege	1116	tasklist.exe
Token: SeDebugPrivilege	228	tasklist.exe
Token: SeDebugPrivilege	4292	tasklist.exe
Token: SeDebugPrivilege	3692	tasklist.exe
Token: SeDebugPrivilege	3452	tasklist.exe
Token: SeDebugPrivilege	4336	tasklist.exe
Token: SeDebugPrivilege	680	tasklist.exe
Token: SeDebugPrivilege	2712	tasklist.exe
Token: SeDebugPrivilege	4716	tasklist.exe
Token: SeDebugPrivilege	992	tasklist.exe
Token: SeDebugPrivilege	2696	tasklist.exe
Token: SeDebugPrivilege	3064	tasklist.exe
Token: SeDebugPrivilege	4588	tasklist.exe
Token: SeDebugPrivilege	3988	tasklist.exe
Token: SeDebugPrivilege	2896	tasklist.exe
Token: SeDebugPrivilege	3292	tasklist.exe
Token: SeDebugPrivilege	8	tasklist.exe
Token: SeDebugPrivilege	528	tasklist.exe
Token: SeDebugPrivilege	3420	tasklist.exe
Token: SeDebugPrivilege	2060	tasklist.exe
Token: SeDebugPrivilege	632	tasklist.exe
Token: SeDebugPrivilege	2468	tasklist.exe
Token: SeDebugPrivilege	1684	tasklist.exe
Token: SeDebugPrivilege	3680	tasklist.exe
Token: SeDebugPrivilege	3980	tasklist.exe
Token: SeDebugPrivilege	4464	tasklist.exe
Token: SeDebugPrivilege	4000	tasklist.exe
Token: SeDebugPrivilege	860	tasklist.exe
Token: SeDebugPrivilege	5116	tasklist.exe
Token: SeDebugPrivilege	4716	tasklist.exe
Token: SeDebugPrivilege	2740	tasklist.exe
Token: SeDebugPrivilege	4884	tasklist.exe
Token: SeDebugPrivilege	4060	tasklist.exe
Token: SeDebugPrivilege	3472	tasklist.exe
Token: SeDebugPrivilege	2236	tasklist.exe
Token: SeDebugPrivilege	2668	tasklist.exe
Token: SeDebugPrivilege	4896	tasklist.exe
Token: SeDebugPrivilege	452	tasklist.exe
Token: SeDebugPrivilege	4920	tasklist.exe
Token: SeDebugPrivilege	4276	tasklist.exe
Token: SeDebugPrivilege	3784	tasklist.exe
Token: SeDebugPrivilege	4440	tasklist.exe
Token: SeDebugPrivilege	1436	tasklist.exe
Token: SeDebugPrivilege	3912	tasklist.exe
Token: SeDebugPrivilege	3920	tasklist.exe
Token: SeDebugPrivilege	5008	tasklist.exe
Token: SeDebugPrivilege	4292	tasklist.exe
Token: SeDebugPrivilege	3692	tasklist.exe
Token: SeDebugPrivilege	4092	tasklist.exe
Token: SeDebugPrivilege	3304	tasklist.exe
Token: SeDebugPrivilege	2328	tasklist.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

explorer.exe

pid process

1952 explorer.exe
1952 explorer.exe

pid	process
1952	explorer.exe
1952	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

830004.execmd.execmd.exenet.execmd.exe

description	pid	process	target process
PID 2220 wrote to memory of 4916	2220	830004.exe	cmd.exe
PID 2220 wrote to memory of 4916	2220	830004.exe	cmd.exe
PID 2220 wrote to memory of 4780	2220	830004.exe	cmd.exe
PID 2220 wrote to memory of 4780	2220	830004.exe	cmd.exe
PID 2220 wrote to memory of 3616	2220	830004.exe	cmd.exe
PID 2220 wrote to memory of 3616	2220	830004.exe	cmd.exe
PID 4916 wrote to memory of 4896	4916	cmd.exe	reg.exe
PID 4916 wrote to memory of 4896	4916	cmd.exe	reg.exe
PID 4780 wrote to memory of 4920	4780	cmd.exe	net.exe
PID 4780 wrote to memory of 4920	4780	cmd.exe	net.exe
PID 4920 wrote to memory of 4860	4920	net.exe	net1.exe
PID 4920 wrote to memory of 4860	4920	net.exe	net1.exe
PID 3616 wrote to memory of 4820	3616	cmd.exe	tasklist.exe
PID 3616 wrote to memory of 4820	3616	cmd.exe	tasklist.exe
PID 3616 wrote to memory of 3296	3616	cmd.exe	findstr.exe
PID 3616 wrote to memory of 3296	3616	cmd.exe	findstr.exe
PID 3616 wrote to memory of 4576	3616	cmd.exe	timeout.exe
PID 3616 wrote to memory of 4576	3616	cmd.exe	timeout.exe
PID 3616 wrote to memory of 3464	3616	cmd.exe	tasklist.exe
PID 3616 wrote to memory of 3464	3616	cmd.exe	tasklist.exe
PID 3616 wrote to memory of 4840	3616	cmd.exe	findstr.exe
PID 3616 wrote to memory of 4840	3616	cmd.exe	findstr.exe
PID 3616 wrote to memory of 1828	3616	cmd.exe	timeout.exe
PID 3616 wrote to memory of 1828	3616	cmd.exe	timeout.exe
PID 3616 wrote to memory of 1700	3616	cmd.exe	tasklist.exe
PID 3616 wrote to memory of 1700	3616	cmd.exe	tasklist.exe
PID 3616 wrote to memory of 4996	3616	cmd.exe	findstr.exe
PID 3616 wrote to memory of 4996	3616	cmd.exe	findstr.exe
PID 3616 wrote to memory of 1044	3616	cmd.exe	timeout.exe
PID 3616 wrote to memory of 1044	3616	cmd.exe	timeout.exe
PID 3616 wrote to memory of 1116	3616	cmd.exe	tasklist.exe
PID 3616 wrote to memory of 1116	3616	cmd.exe	tasklist.exe
PID 3616 wrote to memory of 1140	3616	cmd.exe	findstr.exe
PID 3616 wrote to memory of 1140	3616	cmd.exe	findstr.exe
PID 3616 wrote to memory of 2124	3616	cmd.exe	timeout.exe
PID 3616 wrote to memory of 2124	3616	cmd.exe	timeout.exe
PID 3616 wrote to memory of 228	3616	cmd.exe	tasklist.exe
PID 3616 wrote to memory of 228	3616	cmd.exe	tasklist.exe
PID 3616 wrote to memory of 116	3616	cmd.exe	findstr.exe
PID 3616 wrote to memory of 116	3616	cmd.exe	findstr.exe
PID 3616 wrote to memory of 2676	3616	cmd.exe	timeout.exe
PID 3616 wrote to memory of 2676	3616	cmd.exe	timeout.exe
PID 3616 wrote to memory of 4292	3616	cmd.exe	tasklist.exe
PID 3616 wrote to memory of 4292	3616	cmd.exe	tasklist.exe
PID 3616 wrote to memory of 3568	3616	cmd.exe	findstr.exe
PID 3616 wrote to memory of 3568	3616	cmd.exe	findstr.exe
PID 3616 wrote to memory of 3796	3616	cmd.exe	timeout.exe
PID 3616 wrote to memory of 3796	3616	cmd.exe	timeout.exe
PID 3616 wrote to memory of 3692	3616	cmd.exe	tasklist.exe
PID 3616 wrote to memory of 3692	3616	cmd.exe	tasklist.exe
PID 3616 wrote to memory of 3660	3616	cmd.exe	findstr.exe
PID 3616 wrote to memory of 3660	3616	cmd.exe	findstr.exe
PID 3616 wrote to memory of 3716	3616	cmd.exe	timeout.exe
PID 3616 wrote to memory of 3716	3616	cmd.exe	timeout.exe
PID 3616 wrote to memory of 3452	3616	cmd.exe	tasklist.exe
PID 3616 wrote to memory of 3452	3616	cmd.exe	tasklist.exe
PID 3616 wrote to memory of 3696	3616	cmd.exe	findstr.exe
PID 3616 wrote to memory of 3696	3616	cmd.exe	findstr.exe
PID 3616 wrote to memory of 4464	3616	cmd.exe	timeout.exe
PID 3616 wrote to memory of 4464	3616	cmd.exe	timeout.exe
PID 3616 wrote to memory of 4336	3616	cmd.exe	tasklist.exe
PID 3616 wrote to memory of 4336	3616	cmd.exe	tasklist.exe
PID 3616 wrote to memory of 4704	3616	cmd.exe	findstr.exe
PID 3616 wrote to memory of 4704	3616	cmd.exe	findstr.exe

C:\Users\Admin\AppData\Local\Temp\830004.exe
"C:\Users\Admin\AppData\Local\Temp\830004.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Settings\0t4Q7u1v2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3296

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4576

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4840

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1828

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4996

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1044

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1140

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2124

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:116

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2676

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3568

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3796

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3660

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3716

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3696

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4464

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4704

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3312

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3916

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3964

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3396

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2656

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1652

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1112

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2336

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1600

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4468

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:5064

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:376

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4712

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2236

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3984

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2472

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2100

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2928

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3952

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4156

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4924

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4972

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3476

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4260

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:636

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4440

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1764

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1120

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4640

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3088

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4244

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:348

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2056

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1728

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3676

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3536

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3668

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4644

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4144

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4264

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1036

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3152

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3352

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1928

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3564

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2712

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1156

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1652

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3240

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:992

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:544

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4984

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:5112

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4684

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:376

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4472

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1692

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4064

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1344

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4812

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2100

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3288

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4844

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2708

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1220

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4924

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:8

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3004

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:528

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:5004

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2348

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3484

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1976

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1052

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2960

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3060

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1116

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:208

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1796

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4996

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3568

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3796

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3540

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3572

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:624

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4364

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4336

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1496

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:396

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2344

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2416

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3916

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2332

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2656

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:5116

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:64

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4036

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1096

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4664

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2464

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:992

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4488

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3172

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3848

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1548

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:5100

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3008

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3900

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4380

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4020

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3064

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4548

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3248

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:900

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4712

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4588

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1692

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3992

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:2484

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1344

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3988

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3148

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:368

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4748

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4896

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3288

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3292

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3120

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2708

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3812

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4932

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4972

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:5032

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3004

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4300

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:636

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3420

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1648

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4440

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1168

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4640

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1524

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4612

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:632

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1872

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1116

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2468

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:208

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1796

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1812

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4996

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3664

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2152

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1728

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3796

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2680

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3068

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3552

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3544

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3696

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4644

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:812

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3428

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4280

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2380

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3904

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2276

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4000

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:436

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:160

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3648

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3128

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:860

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3396

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2656

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2712

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4600

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4036

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2420

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2604

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2464

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:2724

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2552

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3344

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4984

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4616

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3888

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2396

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:388

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:5064

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4564

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4560

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4684

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:5028

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1680

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1516

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4024

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3984

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4064

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4960

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3860

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4812

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2896

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1396

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2928

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2140

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2780

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4904

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:5000

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4876

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:5072

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1512

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4780

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3672

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4972

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3652

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4296

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3000

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3004

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:672

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:2292

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:5012

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3112

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3420

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1648

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1436

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1168

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4640

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:380

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:5024

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:632

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:100

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:2252

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1116

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3052

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2840

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2056

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3592

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3664

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2272

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:856

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3540

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3796

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4364

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4168

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4644

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4704

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:2276

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4000

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1596

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:160

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4752

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4976

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:204

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4068

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3960

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2320

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2660

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1176

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4184

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4140

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4756

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2256

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3196

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:5100

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:2480

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:524

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4380

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:2984

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4060

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:732

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:540

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4980

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3444

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1888

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:5076

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1448

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2308

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3984

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1952

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1344

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3860

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:368

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1396

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:616

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3952

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2780

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4896

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:452

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4156

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3120

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1048

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4788

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3924

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1512

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4920

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4932

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4972

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1668

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3760

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4260

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4216

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3212

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2292

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:804

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2348

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3484

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4440

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4716

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3832

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1168

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2960

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3828

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:5024

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2392

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1232

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2144

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4832

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3052

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1812

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3676

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3592

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1868

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3500

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4900

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3696

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2680

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3452

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2812

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4720

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4168

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2112

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3688

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4128

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2344

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2416

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4672

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4308

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:5088

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:204

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4648

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4792

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1624

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:952

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1652

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1176

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1472

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4696

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4880

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4940

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1520

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3124

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:2788

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4252

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2356

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4952

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3680

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:788

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4560

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4060

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:376

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1172

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2756

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3248

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1640

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4712

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4320

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4208

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2436

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4888

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3976

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1356

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4064

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3712

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:368

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2676

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:692

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4304

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net config server /autodisconnect:-1
2⤵
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\system32\net.exe
net config server /autodisconnect:-1
3⤵
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config server /autodisconnect:-1
4⤵
PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add hklm\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityUpdate /t REG_EXPAND_SZ /d C:\Users\Admin\AppData\Local\Temp\830004.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\system32\reg.exe
reg add hklm\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityUpdate /t REG_EXPAND_SZ /d C:\Users\Admin\AppData\Local\Temp\830004.exe /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4896

C:\Windows\explorer.exe
explorer.exe .\readme_for_unlock.txt
2⤵
PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /quiet
2⤵
PID:4960

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /All /quiet
3⤵
- Interacts with shadow copies
PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2l0A1d3q0.bat
2⤵
PID:528

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1668

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:5020

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:4216

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:2292

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:4072

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:3420

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:2060

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:4536

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1524

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\3y2S3a2v1.bat
3⤵
PID:632

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Settings\0t4Q7u1v2.bat
Filesize
163B

MD5
3578e838f655c9bd9426651cc13f6a84

SHA1
10b312cca508e1958507cd3f8a6feae72f6a3a3d

SHA256
42f5a94a41364f4ab334ab6bf3638b1861d3a10b7684df6e5968567ca5027bde

SHA512
4ccd6320fe0eb7dccd3b322ffbb94b9f718123dec2781f9f9404e3c520628f8f9d544b88189dda079a8f431cebdecc7a3cd94e37d21eb9257fdc65408465a995

Download Submit
C:\Users\Admin\AppData\Local\Temp\2l0A1d3q0.bat
Filesize
1.0MB

MD5
e82e2537f74219b8ba9b5e58bed573e4

SHA1
59619c7d5f19886ea8b773eb99d6e9cae343e888

SHA256
f24d40d15950b477e349a2c7f454e7991ff0768745267750e586f13dfe59b5a4

SHA512
96885c4e6dff1b484a3060f766dbb8766c7bdacce6b83a4790de5efd903d1c1cbe07d4bb558a1e051b4841a6f7990bc54a7ffcb0275a5008dd22c019e2f03ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3y2S3a2v1.bat
Filesize
56B

MD5
0d636660b74b7c62348f813f1024e218

SHA1
bf4aab4ee44cf03b862992effd22f55d6326ae9a

SHA256
61b885ca80cabc98a5a70f68889e180748baca9a05679217a981fd8c8942a15a

SHA512
9aeaae6ae045afcf8bd684e6f58995b05d97d85b29c4e6619f137d089809efb6d3336cef8adeaacbc1fd6ef5d7af4b72dddcdcf53b31780efc9895483c32624e

Download Submit
memory/8-196-0x0000000000000000-mapping.dmp

Download
memory/116-152-0x0000000000000000-mapping.dmp

Download
memory/228-151-0x0000000000000000-mapping.dmp

Download
memory/376-182-0x0000000000000000-mapping.dmp

Download
memory/680-166-0x0000000000000000-mapping.dmp

Download
memory/992-175-0x0000000000000000-mapping.dmp

Download
memory/1044-147-0x0000000000000000-mapping.dmp

Download
memory/1112-174-0x0000000000000000-mapping.dmp

Download
memory/1116-148-0x0000000000000000-mapping.dmp

Download
memory/1140-149-0x0000000000000000-mapping.dmp

Download
memory/1600-177-0x0000000000000000-mapping.dmp

Download
memory/1652-173-0x0000000000000000-mapping.dmp

Download
memory/1700-145-0x0000000000000000-mapping.dmp

Download
memory/1828-144-0x0000000000000000-mapping.dmp

Download
memory/2100-189-0x0000000000000000-mapping.dmp

Download
memory/2124-150-0x0000000000000000-mapping.dmp

Download
memory/2236-185-0x0000000000000000-mapping.dmp

Download
memory/2336-176-0x0000000000000000-mapping.dmp

Download
memory/2472-188-0x0000000000000000-mapping.dmp

Download
memory/2656-171-0x0000000000000000-mapping.dmp

Download
memory/2676-153-0x0000000000000000-mapping.dmp

Download
memory/2696-178-0x0000000000000000-mapping.dmp

Download
memory/2712-169-0x0000000000000000-mapping.dmp

Download
memory/2896-190-0x0000000000000000-mapping.dmp

Download
memory/2928-191-0x0000000000000000-mapping.dmp

Download
memory/3064-181-0x0000000000000000-mapping.dmp

Download
memory/3292-193-0x0000000000000000-mapping.dmp

Download
memory/3296-140-0x0000000000000000-mapping.dmp

Download
memory/3312-165-0x0000000000000000-mapping.dmp

Download
memory/3396-170-0x0000000000000000-mapping.dmp

Download
memory/3452-160-0x0000000000000000-mapping.dmp

Download
memory/3464-142-0x0000000000000000-mapping.dmp

Download
memory/3568-155-0x0000000000000000-mapping.dmp

Download
memory/3616-134-0x0000000000000000-mapping.dmp

Download
memory/3660-158-0x0000000000000000-mapping.dmp

Download
memory/3692-157-0x0000000000000000-mapping.dmp

Download
memory/3696-161-0x0000000000000000-mapping.dmp

Download
memory/3716-159-0x0000000000000000-mapping.dmp

Download
memory/3796-156-0x0000000000000000-mapping.dmp

Download
memory/3916-167-0x0000000000000000-mapping.dmp

Download
memory/3952-192-0x0000000000000000-mapping.dmp

Download
memory/3964-168-0x0000000000000000-mapping.dmp

Download
memory/3984-186-0x0000000000000000-mapping.dmp

Download
memory/3988-187-0x0000000000000000-mapping.dmp

Download
memory/4156-194-0x0000000000000000-mapping.dmp

Download
memory/4292-154-0x0000000000000000-mapping.dmp

Download
memory/4336-163-0x0000000000000000-mapping.dmp

Download
memory/4464-162-0x0000000000000000-mapping.dmp

Download
memory/4468-179-0x0000000000000000-mapping.dmp

Download
memory/4576-141-0x0000000000000000-mapping.dmp

Download
memory/4588-184-0x0000000000000000-mapping.dmp

Download
memory/4704-164-0x0000000000000000-mapping.dmp

Download
memory/4712-183-0x0000000000000000-mapping.dmp

Download
memory/4716-172-0x0000000000000000-mapping.dmp

Download
memory/4780-133-0x0000000000000000-mapping.dmp

Download
memory/4820-139-0x0000000000000000-mapping.dmp

Download
memory/4840-143-0x0000000000000000-mapping.dmp

Download
memory/4860-138-0x0000000000000000-mapping.dmp

Download
memory/4896-135-0x0000000000000000-mapping.dmp

Download
memory/4916-132-0x0000000000000000-mapping.dmp

Download
memory/4920-136-0x0000000000000000-mapping.dmp

Download
memory/4924-195-0x0000000000000000-mapping.dmp

Download
memory/4996-146-0x0000000000000000-mapping.dmp

Download
memory/5064-180-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads