39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d

General

Target

830004.exe
Size

691KB
MD5

58aea2aac89947773dfae8e3859e20b0
SHA1

be17c41c65703f9475e36dff55fd3de220e395f3
SHA256

39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d
SHA512

f3d43c0759b05b949498cc63084b54b869c228a427f1590a1010007b4bdbebf760145a29e5f1a7c5585133ed76a3c1a5d7bf2ace46858ac9a48ff5c05eafa6eb
SSDEEP

12288:i0iads6yn93ySQDWYgeWYg955/155/m6q5iKn3zMCO342FoqdXS:dicFyn93ySQJ5f34Jo2Fi

Score

9^/10

persistence ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 18 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

830004.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SaveCompare.tif.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\UseBlock.raw => C:\Users\Admin\Pictures\UseBlock.raw.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\UseBlock.raw.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\UseReceive.crw => C:\Users\Admin\Pictures\UseReceive.crw.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertStep.tif.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\MountUninstall.tif => C:\Users\Admin\Pictures\MountUninstall.tif.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\ReceiveRead.raw => C:\Users\Admin\Pictures\ReceiveRead.raw.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\ResolveBlock.tif => C:\Users\Admin\Pictures\ResolveBlock.tif.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\MountUninstall.tif.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\PushResume.png.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\ReceiveResume.raw => C:\Users\Admin\Pictures\ReceiveResume.raw.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\ConvertStep.tif => C:\Users\Admin\Pictures\ConvertStep.tif.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveBlock.tif.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\UseReceive.crw.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\SaveCompare.tif => C:\Users\Admin\Pictures\SaveCompare.tif.crypt	830004.exe
File renamed	C:\Users\Admin\Pictures\PushResume.png => C:\Users\Admin\Pictures\PushResume.png.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\ReceiveRead.raw.crypt	830004.exe
File opened for modification	C:\Users\Admin\Pictures\ReceiveResume.raw.crypt	830004.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\830004.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

830004.exe

description	ioc	process
File opened (read-only)	\??\I:	830004.exe
File opened (read-only)	\??\N:	830004.exe
File opened (read-only)	\??\O:	830004.exe
File opened (read-only)	\??\X:	830004.exe
File opened (read-only)	\??\B:	830004.exe
File opened (read-only)	\??\G:	830004.exe
File opened (read-only)	\??\H:	830004.exe
File opened (read-only)	\??\K:	830004.exe
File opened (read-only)	\??\M:	830004.exe
File opened (read-only)	\??\P:	830004.exe
File opened (read-only)	\??\Q:	830004.exe
File opened (read-only)	\??\R:	830004.exe
File opened (read-only)	\??\V:	830004.exe
File opened (read-only)	\??\Z:	830004.exe
File opened (read-only)	\??\A:	830004.exe
File opened (read-only)	\??\E:	830004.exe
File opened (read-only)	\??\F:	830004.exe
File opened (read-only)	\??\J:	830004.exe
File opened (read-only)	\??\L:	830004.exe
File opened (read-only)	\??\S:	830004.exe
File opened (read-only)	\??\T:	830004.exe
File opened (read-only)	\??\U:	830004.exe
File opened (read-only)	\??\W:	830004.exe
File opened (read-only)	\??\Y:	830004.exe

Drops file in Program Files directory 64 IoCs

Processes:

830004.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ui-strings.js.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\MSFT_PackageManagementSource.strings.psd1.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ppd.xrm-ms.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TinyTile.scale-100_contrast-white.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-80_altform-unplated.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-100.png.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons.png.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ro-ro\ui-strings.js.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\vi_get.svg.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sk-SK\View3d\3DViewerProductDescription-universal.xml.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-200.png.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\plugin.js.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_ko.properties.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-white_scale-200.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\pstn\PSTN_cluster.png.crypt	830004.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\THANKS.txt.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Sand.dxt.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\8080_36x36x32.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxBadge.scale-200.png.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\ui-strings.js.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-200.png.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lv_get.svg.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-tw\ui-strings.js.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-100.png.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaBrightItalic.ttf.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileLargeSquare.scale-100.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square310x310Logo.scale-200.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-200_contrast-white.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2629973501-4017243118-3254762364-1000-MergedResources-0.pri.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as80.xsl.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\34.jpg.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-32_altform-unplated_contrast-white.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\ffjcext.zip.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN090.XML.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-64.png.crypt	830004.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ppd.xrm-ms.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\plugin.js.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\setup_wm.exe.mui.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-100_contrast-white.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_contrast-black_devicefamily-colorfulunplated.png.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\ui-strings.js.crypt	830004.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-80_altform-unplated_contrast-black.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-64.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailMediumTile.scale-150.png.crypt	830004.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\hive.xsl.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\AppxBlockMap.xml.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-white_scale-125.png.crypt	830004.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\wmpnetwk.exe.mui.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-16_altform-unplated_contrast-white.png.crypt	830004.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\ui-strings.js.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32.png.crypt	830004.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\es-ES.mail.config.crypt	830004.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1988	timeout.exe
4260	timeout.exe
2468	timeout.exe
3912	timeout.exe
4136	timeout.exe
4944	timeout.exe
1460	timeout.exe
3172	timeout.exe
1804	timeout.exe
1868	timeout.exe
1132	timeout.exe
4708	timeout.exe
4048	timeout.exe
3396	timeout.exe
1460	timeout.exe
1428	timeout.exe
1044	timeout.exe
2736	timeout.exe
980	timeout.exe
112	timeout.exe
2064	timeout.exe
4488	timeout.exe
4872	timeout.exe
3792	timeout.exe
2464	timeout.exe
3444	timeout.exe
3396	timeout.exe
4512	timeout.exe
1388	timeout.exe
4212	timeout.exe
952	timeout.exe
3812	timeout.exe
4960	timeout.exe
3100	timeout.exe
4932	timeout.exe
2168	timeout.exe
3484	timeout.exe
544	timeout.exe
2516	timeout.exe
1072	timeout.exe
3180	timeout.exe
3996	timeout.exe
5108	timeout.exe
1388	timeout.exe
4100	timeout.exe
5060	timeout.exe
220	timeout.exe
4624	timeout.exe
456	timeout.exe
4376	timeout.exe
2480	timeout.exe
4212	timeout.exe
1460	timeout.exe
4664	timeout.exe
3064	timeout.exe
4244	timeout.exe
1120	timeout.exe
492	timeout.exe
3928	timeout.exe
3060	timeout.exe
2180	timeout.exe
4040	timeout.exe
3564	timeout.exe
1240	timeout.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
2172	tasklist.exe
2172	tasklist.exe
3180	tasklist.exe
5068	tasklist.exe
4312	tasklist.exe
872	tasklist.exe
2028	tasklist.exe
388	tasklist.exe
3212	tasklist.exe
4988	tasklist.exe
556	tasklist.exe
1316	tasklist.exe
3748	tasklist.exe
884	tasklist.exe
3884	tasklist.exe
2136	tasklist.exe
3112	tasklist.exe
4976	tasklist.exe
4848	tasklist.exe
1912	tasklist.exe
3172	tasklist.exe
2064	tasklist.exe
1588	tasklist.exe
4512	tasklist.exe
3768	tasklist.exe
2256	tasklist.exe
3160	tasklist.exe
1692	tasklist.exe
920	tasklist.exe
1792	tasklist.exe
4332	tasklist.exe
3028	tasklist.exe
3532	tasklist.exe
3768	tasklist.exe
4176	tasklist.exe
1472	tasklist.exe
3380	tasklist.exe
4500	tasklist.exe
1280	tasklist.exe
3812	tasklist.exe
3268	tasklist.exe
4984	tasklist.exe
4300	tasklist.exe
1220	tasklist.exe
560	tasklist.exe
1316	tasklist.exe
1064	tasklist.exe
208	tasklist.exe
4064	tasklist.exe
4824	tasklist.exe
4324	tasklist.exe
3840	tasklist.exe
4848	tasklist.exe
3624	tasklist.exe
3908	tasklist.exe
3112	tasklist.exe
3844	tasklist.exe
3896	tasklist.exe
3064	tasklist.exe
3040	tasklist.exe
1932	tasklist.exe
2632	tasklist.exe
4772	tasklist.exe
2168	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

944 vssadmin.exe

pid	process
944	vssadmin.exe

Kills process with taskkill 10 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2248	taskkill.exe
3996	taskkill.exe
212	taskkill.exe
2468	taskkill.exe
4676	taskkill.exe
2888	taskkill.exe
1468	taskkill.exe
952	taskkill.exe
3268	taskkill.exe
220	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 64 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Pictures"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\Rev = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 03000000020000000100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 3a002e80aba36ff8d270c74f9c99fcbf05467f3a260001002600efbe11000000761be9f37eaed801dcf9b1f67eaed801ff96c475c0d8d80114000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupView = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\IconSize = "96"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\Rev = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616193"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\Vid = "{0057D0E0-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616209"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3 = 3a002e8096f2fd3decdbb44f81d16a3438bcf4de260001002600efbe11000000761be9f37eaed8018775de60c0d8d801ff96c475c0d8d80114000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "4"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\FFlags = "1092616193"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 9e003100000000000c554c9911005341564544507e310000860009000400efbe0c554c994555146d2e0000001ee801000000010000000000000000004c0000000000ae3170005300610076006500640020005000690063007400750072006500730000004000770069006e0064006f00770073002e00730074006f0072006100670065002e0064006c006c002c002d0033003400350038003300000018000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\Rev = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\Mode = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Music"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{B3690E58-E961-423B-B687-386EBFD83239}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\LogicalViewMode = "3"	explorer.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4132 reg.exe
Runs net.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

1868 explorer.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

1712 msedge.exe
1712 msedge.exe
1580 msedge.exe
1580 msedge.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1868 explorer.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

1580 msedge.exe
1580 msedge.exe
1580 msedge.exe
1580 msedge.exe
1580 msedge.exe
1580 msedge.exe

pid	process
4132	reg.exe

pid	process
1868	explorer.exe

pid	process
1712	msedge.exe
1712	msedge.exe
1580	msedge.exe
1580	msedge.exe

pid	process
1868	explorer.exe

pid	process
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

830004.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	2124	830004.exe
Token: SeBackupPrivilege	2124	830004.exe
Token: SeRestorePrivilege	2124	830004.exe
Token: 35	2124	830004.exe
Token: SeSecurityPrivilege	2124	830004.exe
Token: SeManageVolumePrivilege	2124	830004.exe
Token: 32	2124	830004.exe
Token: SeTcbPrivilege	2124	830004.exe
Token: SeSystemProfilePrivilege	2124	830004.exe
Token: SeTakeOwnershipPrivilege	2124	830004.exe
Token: SeDebugPrivilege	4936	tasklist.exe
Token: SeDebugPrivilege	1064	tasklist.exe
Token: SeDebugPrivilege	1520	tasklist.exe
Token: SeDebugPrivilege	112	tasklist.exe
Token: SeDebugPrivilege	2208	tasklist.exe
Token: SeDebugPrivilege	3568	tasklist.exe
Token: SeDebugPrivilege	1312	tasklist.exe
Token: SeDebugPrivilege	4780	tasklist.exe
Token: SeDebugPrivilege	4824	tasklist.exe
Token: SeDebugPrivilege	64	tasklist.exe
Token: SeDebugPrivilege	4176	tasklist.exe
Token: SeDebugPrivilege	2236	tasklist.exe
Token: SeDebugPrivilege	3812	tasklist.exe
Token: SeDebugPrivilege	2736	tasklist.exe
Token: SeDebugPrivilege	4808	tasklist.exe
Token: SeDebugPrivilege	872	tasklist.exe
Token: SeDebugPrivilege	2292	tasklist.exe
Token: SeDebugPrivilege	2168	tasklist.exe
Token: SeDebugPrivilege	4848	tasklist.exe
Token: SeDebugPrivilege	2632	tasklist.exe
Token: SeDebugPrivilege	3396	tasklist.exe
Token: SeDebugPrivilege	208	tasklist.exe
Token: SeDebugPrivilege	4336	tasklist.exe
Token: SeDebugPrivilege	920	tasklist.exe
Token: SeDebugPrivilege	4656	tasklist.exe
Token: SeDebugPrivilege	1316	tasklist.exe
Token: SeDebugPrivilege	2256	tasklist.exe
Token: SeDebugPrivilege	3748	tasklist.exe
Token: SeDebugPrivilege	884	tasklist.exe
Token: SeDebugPrivilege	3908	tasklist.exe
Token: SeDebugPrivilege	4176	tasklist.exe
Token: SeDebugPrivilege	556	tasklist.exe
Token: SeDebugPrivilege	1272	tasklist.exe
Token: SeDebugPrivilege	492	tasklist.exe
Token: SeDebugPrivilege	4308	tasklist.exe
Token: SeDebugPrivilege	4808	tasklist.exe
Token: SeDebugPrivilege	872	tasklist.exe
Token: SeDebugPrivilege	2944	tasklist.exe
Token: SeDebugPrivilege	4132	tasklist.exe
Token: SeDebugPrivilege	1472	tasklist.exe
Token: SeDebugPrivilege	4268	tasklist.exe
Token: SeDebugPrivilege	3112	tasklist.exe
Token: SeDebugPrivilege	4276	tasklist.exe
Token: SeDebugPrivilege	2172	tasklist.exe
Token: SeDebugPrivilege	208	tasklist.exe
Token: SeDebugPrivilege	3624	tasklist.exe
Token: SeDebugPrivilege	3844	tasklist.exe
Token: SeDebugPrivilege	4272	tasklist.exe
Token: SeDebugPrivilege	1000	tasklist.exe
Token: SeDebugPrivilege	2152	tasklist.exe
Token: SeDebugPrivilege	1288	tasklist.exe
Token: SeDebugPrivilege	2028	tasklist.exe
Token: SeDebugPrivilege	4824	tasklist.exe
Token: SeDebugPrivilege	3720	tasklist.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msedge.exe

pid process

1580 msedge.exe
1580 msedge.exe
1580 msedge.exe
1580 msedge.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

explorer.exe

pid process

1868 explorer.exe
1868 explorer.exe

pid	process
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe

pid	process
1868	explorer.exe
1868	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

830004.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 2124 wrote to memory of 4376	2124	830004.exe	cmd.exe
PID 2124 wrote to memory of 4376	2124	830004.exe	cmd.exe
PID 2124 wrote to memory of 5044	2124	830004.exe	cmd.exe
PID 2124 wrote to memory of 5044	2124	830004.exe	cmd.exe
PID 2124 wrote to memory of 2960	2124	830004.exe	cmd.exe
PID 2124 wrote to memory of 2960	2124	830004.exe	cmd.exe
PID 5044 wrote to memory of 4936	5044	cmd.exe	tasklist.exe
PID 5044 wrote to memory of 4936	5044	cmd.exe	tasklist.exe
PID 2960 wrote to memory of 4952	2960	cmd.exe	net.exe
PID 2960 wrote to memory of 4952	2960	cmd.exe	net.exe
PID 5044 wrote to memory of 4916	5044	cmd.exe	findstr.exe
PID 5044 wrote to memory of 4916	5044	cmd.exe	findstr.exe
PID 4376 wrote to memory of 4132	4376	cmd.exe	reg.exe
PID 4376 wrote to memory of 4132	4376	cmd.exe	reg.exe
PID 4952 wrote to memory of 4268	4952	net.exe	net1.exe
PID 4952 wrote to memory of 4268	4952	net.exe	net1.exe
PID 5044 wrote to memory of 60	5044	cmd.exe	timeout.exe
PID 5044 wrote to memory of 60	5044	cmd.exe	timeout.exe
PID 5044 wrote to memory of 1064	5044	cmd.exe	tasklist.exe
PID 5044 wrote to memory of 1064	5044	cmd.exe	tasklist.exe
PID 5044 wrote to memory of 5104	5044	cmd.exe	findstr.exe
PID 5044 wrote to memory of 5104	5044	cmd.exe	findstr.exe
PID 5044 wrote to memory of 3396	5044	cmd.exe	timeout.exe
PID 5044 wrote to memory of 3396	5044	cmd.exe	timeout.exe
PID 5044 wrote to memory of 1520	5044	cmd.exe	tasklist.exe
PID 5044 wrote to memory of 1520	5044	cmd.exe	tasklist.exe
PID 5044 wrote to memory of 1060	5044	cmd.exe	findstr.exe
PID 5044 wrote to memory of 1060	5044	cmd.exe	findstr.exe
PID 5044 wrote to memory of 5072	5044	cmd.exe	timeout.exe
PID 5044 wrote to memory of 5072	5044	cmd.exe	timeout.exe
PID 5044 wrote to memory of 112	5044	cmd.exe	tasklist.exe
PID 5044 wrote to memory of 112	5044	cmd.exe	tasklist.exe
PID 5044 wrote to memory of 32	5044	cmd.exe	findstr.exe
PID 5044 wrote to memory of 32	5044	cmd.exe	findstr.exe
PID 5044 wrote to memory of 3952	5044	cmd.exe	timeout.exe
PID 5044 wrote to memory of 3952	5044	cmd.exe	timeout.exe
PID 5044 wrote to memory of 2208	5044	cmd.exe	tasklist.exe
PID 5044 wrote to memory of 2208	5044	cmd.exe	tasklist.exe
PID 5044 wrote to memory of 4508	5044	cmd.exe	findstr.exe
PID 5044 wrote to memory of 4508	5044	cmd.exe	findstr.exe
PID 5044 wrote to memory of 3564	5044	cmd.exe	timeout.exe
PID 5044 wrote to memory of 3564	5044	cmd.exe	timeout.exe
PID 5044 wrote to memory of 3568	5044	cmd.exe	tasklist.exe
PID 5044 wrote to memory of 3568	5044	cmd.exe	tasklist.exe
PID 5044 wrote to memory of 3116	5044	cmd.exe	findstr.exe
PID 5044 wrote to memory of 3116	5044	cmd.exe	findstr.exe
PID 5044 wrote to memory of 4512	5044	cmd.exe	timeout.exe
PID 5044 wrote to memory of 4512	5044	cmd.exe	timeout.exe
PID 5044 wrote to memory of 1312	5044	cmd.exe	tasklist.exe
PID 5044 wrote to memory of 1312	5044	cmd.exe	tasklist.exe
PID 5044 wrote to memory of 1316	5044	cmd.exe	findstr.exe
PID 5044 wrote to memory of 1316	5044	cmd.exe	findstr.exe
PID 5044 wrote to memory of 456	5044	cmd.exe	timeout.exe
PID 5044 wrote to memory of 456	5044	cmd.exe	timeout.exe
PID 5044 wrote to memory of 4780	5044	cmd.exe	tasklist.exe
PID 5044 wrote to memory of 4780	5044	cmd.exe	tasklist.exe
PID 5044 wrote to memory of 1616	5044	cmd.exe	findstr.exe
PID 5044 wrote to memory of 1616	5044	cmd.exe	findstr.exe
PID 5044 wrote to memory of 4196	5044	cmd.exe	timeout.exe
PID 5044 wrote to memory of 4196	5044	cmd.exe	timeout.exe
PID 5044 wrote to memory of 4824	5044	cmd.exe	tasklist.exe
PID 5044 wrote to memory of 4824	5044	cmd.exe	tasklist.exe
PID 5044 wrote to memory of 1596	5044	cmd.exe	findstr.exe
PID 5044 wrote to memory of 1596	5044	cmd.exe	findstr.exe

C:\Users\Admin\AppData\Local\Temp\830004.exe
"C:\Users\Admin\AppData\Local\Temp\830004.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net config server /autodisconnect:-1
2⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\system32\net.exe
net config server /autodisconnect:-1
3⤵
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config server /autodisconnect:-1
4⤵
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Settings\4v0C3a9i6.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4916

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:60

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:5104

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3396

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1060

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:5072

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:32

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3952

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4508

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3564

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3116

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4512

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1316

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:456

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1616

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4196

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1596

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:884

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:984

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2452

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3760

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3640

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:5064

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1804

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:848

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4624

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4632

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:424

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3696

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1868

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4372

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4932

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1932

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1408

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4152

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3672

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4144

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4244

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4036

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4112

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2172

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3996

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:224

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:32

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3732

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3392

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4080

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2000

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4512

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:5096

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2432

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4232

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1956

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1120

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1328

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:980

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3984

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:64

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2400

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2596

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3760

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4492

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4636

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1804

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1280

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3328

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:492

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4876

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2772

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:424

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1240

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4120

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3928

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4028

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2408

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1292

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4136

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4976

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2168

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1116

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4048

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4952

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:5108

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:60

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:952

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3160

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2064

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3412

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:112

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2284

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2208

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4784

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:488

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4060

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1460

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4316

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:5068

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4800

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:544

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:5076

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:456

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4436

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4232

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1456

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4712

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3176

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4840

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3888

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:984

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4304

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4188

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4776

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4940

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3640

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3932

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4012

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3100

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3812

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4768

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:640

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3356

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3328

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3208

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4876

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2772

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4000

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:760

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2564

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1436

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3696

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1692

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3544

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4740

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3884

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3056

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4964

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3552

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1552

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3464

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1540

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4464

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4152

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:748

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1068

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4772

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3708

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2804

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:5108

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2888

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4040

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:952

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3268

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1064

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1992

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3460

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4676

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2376

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4192

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4728

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3484

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4336

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3624

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1188

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3768

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3500

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1460

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4984

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1656

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4960

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4348

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4628

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4944

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4300

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1444

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3280

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4512

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4528

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1988

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1288

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:548

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1616

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:2256

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4196

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1388

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2700

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3532

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:980

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3896

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4428

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4488

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1220

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3536

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4872

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4680

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1916

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4260

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:556

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2484

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:848

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1792

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:640

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3792

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:2136

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3208

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4084

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2540

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1492

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2184

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1240

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3912

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1936

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3676

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1788

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3488

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:872

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4648

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2292

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2944

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2924

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4376

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4180

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4132

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1428

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1884

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2960

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2084

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:444

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4048

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4016

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4160

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3580

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2040

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2680

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4052

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2464

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3112

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4040

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3396

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3160

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:220

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2480

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:2172

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:216

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2284

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:32

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1284

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4784

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4412

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4336

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1060

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1136

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:756

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4272

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:388

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4984

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:920

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:560

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4560

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:544

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4352

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:160

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2348

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1316

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:456

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2516

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3316

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1392

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3916

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:548

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1588

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2028

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:312

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4712

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1328

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3380

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3984

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3720

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4428

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:984

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4188

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3536

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:5000

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1368

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3760

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4644

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3100

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4204

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2484

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4212

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1280

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4420

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3104

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:640

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1792

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:852

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3208

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2136

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3924

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2684

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1492

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4100

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1912

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1868

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1240

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4024

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4740

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3544

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:5032

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4964

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:872

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1044

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3464

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2924

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3064

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:5012

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4792

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4332

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2280

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3452

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4772

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4244

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2448

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2072

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4864

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:932

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2392

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1072

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2464

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1092

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1940

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3396

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1064

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:176

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2468

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4676

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3096

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:5060

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3172

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:32

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3444

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1404

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4412

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1460

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3180

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:812

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4272

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3028

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3572

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4944

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4352

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4484

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4664

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1588

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2028

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4736

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3532

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1996

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4660

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4304

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2596

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3448

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3640

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4872

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1132

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4500

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1916

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4816

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:556

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4480

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4224

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3828

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4472

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3060

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3040

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2228

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4084

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4308

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4612

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3936

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3904

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2184

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:5072

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:2564

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1912

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3912

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4360

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3676

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4372

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1932

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3488

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3660

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:4648

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2876

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1044

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4976

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2892

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3064

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4324

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2916

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2180

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:780

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1180

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4708

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3108

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1252

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3440

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1884

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4320

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4048

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4772

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4244

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2088

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3580

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2248

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4184

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:932

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1468

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1072

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:2064

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4916

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4040

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:212

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3396

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:220

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3408

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:216

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3096

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3212

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:5060

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3172

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3444

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:1424

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4336

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3768

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:916

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3180

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:5068

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3116

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3028

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:3840

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4800

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3124

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3308

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3916

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1388

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1588

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:312

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4840

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4312

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3380

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4428

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:984

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:2596

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:3448

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4064

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4220

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:1132

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3100

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4680

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:4816

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4988

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:440

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:4212

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:1280

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4224

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:492

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1792

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4000

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2736

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:3208

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:4972

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2708

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:5004

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3552

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2168

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
PID:1180

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:3980

C:\Windows\system32\timeout.exe
TIMEOUT /T 1 /NOBREAK
3⤵
PID:2084

C:\Windows\system32\tasklist.exe
TASKLIST
3⤵
- Enumerates processes with tasklist
PID:4848

C:\Windows\system32\findstr.exe
FINDSTR /B /L /I /C:830004.exe
3⤵
PID:444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add hklm\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityUpdate /t REG_EXPAND_SZ /d C:\Users\Admin\AppData\Local\Temp\830004.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\system32\reg.exe
reg add hklm\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityUpdate /t REG_EXPAND_SZ /d C:\Users\Admin\AppData\Local\Temp\830004.exe /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4132

C:\Windows\explorer.exe
explorer.exe .\readme_for_unlock.txt
2⤵
PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /quiet
2⤵
PID:3272

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /All /quiet
3⤵
- Interacts with shadow copies
PID:944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\0i9W6y7s9.bat
2⤵
PID:2744

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:2248

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:2888

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:1468

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:952

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:3996

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:3268

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:212

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:220

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:2468

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM 830004.exe.exe
3⤵
- Kills process with taskkill
PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\1w0P0d8x9.bat
3⤵
PID:5036

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1868

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:1116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4036

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f4 0x49c
1⤵
PID:1112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:?launchContext1=Microsoft.Windows.Cortana_cw5n1h2txyewy&url=https%3A%2F%2Fwww.bing.com%2Fsearch%3Fq%3Dreadme%26filters%3Dufn%253a%2522readme%2522%2Bsid%253a%25225c8bfb36-29ec-938b-4229-17205c96641f%2522%26form%3DWNSGPH%26qs%3DMB%26cvid%3Dcddb8fde09e04a6aadb179dad37a1ecb%26pq%3Dreadme%26cc%3DUS%26setlang%3Den-US%26nclid%3D9C0DA10A27A69B5F4DC9FC093B60234D%26ts%3D1664977651533%26nclidts%3D1664977651%26tsms%3D533
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd861f46f8,0x7ffd861f4708,0x7ffd861f4718
2⤵
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,2369017208788139459,6655340042982322239,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
2⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,2369017208788139459,6655340042982322239,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,2369017208788139459,6655340042982322239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
2⤵
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2369017208788139459,6655340042982322239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
2⤵
PID:1460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2369017208788139459,6655340042982322239,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
2⤵
PID:4144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2164,2369017208788139459,6655340042982322239,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4920 /prefetch:8
2⤵
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2369017208788139459,6655340042982322239,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
2⤵
PID:920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2369017208788139459,6655340042982322239,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
2⤵
PID:1240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2369017208788139459,6655340042982322239,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
2⤵
PID:2260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2164,2369017208788139459,6655340042982322239,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3864 /prefetch:8
2⤵
PID:4068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2369017208788139459,6655340042982322239,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
2⤵
PID:2136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Settings\4v0C3a9i6.bat
Filesize
163B

MD5
3578e838f655c9bd9426651cc13f6a84

SHA1
10b312cca508e1958507cd3f8a6feae72f6a3a3d

SHA256
42f5a94a41364f4ab334ab6bf3638b1861d3a10b7684df6e5968567ca5027bde

SHA512
4ccd6320fe0eb7dccd3b322ffbb94b9f718123dec2781f9f9404e3c520628f8f9d544b88189dda079a8f431cebdecc7a3cd94e37d21eb9257fdc65408465a995

Download Submit
C:\Users\Admin\AppData\Local\Temp\0i9W6y7s9.bat
Filesize
1.0MB

MD5
71810448a5a7601f7ea8b05059b7d4b7

SHA1
b618d84eeef510f3ea9a5aeac67f74d457d37d55

SHA256
b46d69295657d7192fd22d86fdc66a3f891eb167618b8f4f0e81ceee91d75134

SHA512
242c8dcb99aa62892cd7b1ae1c499ceca6d1bb15b30e7253c06bf4c1a3a76d9250f7ec5ee3a626c9aa20e0db4904f1849635649007b26e7f6fc5bb327ced9300

Download Submit
C:\Users\Admin\AppData\Local\Temp\1w0P0d8x9.bat
Filesize
56B

MD5
7afe63a4ef473a23de0176b6679dfc40

SHA1
b4b578c5eb5933a32ee5b783d66f553db239b0a8

SHA256
4dea827dd5e53bc906a7dffc1bf05d6a81e9bad05363d5cf296231a8233ae379

SHA512
9fd285ab4a86f03f13e01c1869a4ee098a65af6f034c67fd24cef94d5de7c4402514246b6459cbb2c8f1abb71967d0fc987e9e78aa2523c76181cc09765a7173

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk.crypt
Filesize
673B

MD5
02e9466971118010cc260a79b8da9d35

SHA1
0711baa86f13b75704755a51465452c36172ba34

SHA256
57483c1ad7f4df65e3ffb7492c9d1d0e67986dc1bef9fcdc1605fd54946768b9

SHA512
3212323424546e750db439fee9092952b1e7c2a9e1c587a126965a6654131cb92f8de86ae9635f4176d13ed81eca5b417dbfeb0b4173e1e5580a27ab26990fa9

Download Submit
\??\pipe\LOCAL\crashpad_1580_WHJLOCADAAFFFXGV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/32-149-0x0000000000000000-mapping.dmp

Download
memory/60-141-0x0000000000000000-mapping.dmp

Download
memory/64-166-0x0000000000000000-mapping.dmp

Download
memory/112-148-0x0000000000000000-mapping.dmp

Download
memory/424-180-0x0000000000000000-mapping.dmp

Download
memory/456-159-0x0000000000000000-mapping.dmp

Download
memory/848-176-0x0000000000000000-mapping.dmp

Download
memory/872-184-0x0000000000000000-mapping.dmp

Download
memory/884-165-0x0000000000000000-mapping.dmp

Download
memory/984-167-0x0000000000000000-mapping.dmp

Download
memory/1060-146-0x0000000000000000-mapping.dmp

Download
memory/1064-142-0x0000000000000000-mapping.dmp

Download
memory/1312-157-0x0000000000000000-mapping.dmp

Download
memory/1316-158-0x0000000000000000-mapping.dmp

Download
memory/1408-189-0x0000000000000000-mapping.dmp

Download
memory/1520-145-0x0000000000000000-mapping.dmp

Download
memory/1596-164-0x0000000000000000-mapping.dmp

Download
memory/1616-161-0x0000000000000000-mapping.dmp

Download
memory/1804-174-0x0000000000000000-mapping.dmp

Download
memory/1868-183-0x0000000000000000-mapping.dmp

Download
memory/1932-188-0x0000000000000000-mapping.dmp

Download
memory/2168-190-0x0000000000000000-mapping.dmp

Download
memory/2208-151-0x0000000000000000-mapping.dmp

Download
memory/2236-172-0x0000000000000000-mapping.dmp

Download
memory/2292-187-0x0000000000000000-mapping.dmp

Download
memory/2452-168-0x0000000000000000-mapping.dmp

Download
memory/2632-196-0x0000000000000000-mapping.dmp

Download
memory/2736-178-0x0000000000000000-mapping.dmp

Download
memory/2960-134-0x0000000000000000-mapping.dmp

Download
memory/3116-155-0x0000000000000000-mapping.dmp

Download
memory/3396-144-0x0000000000000000-mapping.dmp

Download
memory/3564-153-0x0000000000000000-mapping.dmp

Download
memory/3568-154-0x0000000000000000-mapping.dmp

Download
memory/3640-171-0x0000000000000000-mapping.dmp

Download
memory/3672-192-0x0000000000000000-mapping.dmp

Download
memory/3696-182-0x0000000000000000-mapping.dmp

Download
memory/3760-170-0x0000000000000000-mapping.dmp

Download
memory/3812-175-0x0000000000000000-mapping.dmp

Download
memory/3952-150-0x0000000000000000-mapping.dmp

Download
memory/4132-139-0x0000000000000000-mapping.dmp

Download
memory/4144-194-0x0000000000000000-mapping.dmp

Download
memory/4152-191-0x0000000000000000-mapping.dmp

Download
memory/4176-169-0x0000000000000000-mapping.dmp

Download
memory/4196-162-0x0000000000000000-mapping.dmp

Download
memory/4244-195-0x0000000000000000-mapping.dmp

Download
memory/4268-140-0x0000000000000000-mapping.dmp

Download
memory/4372-185-0x0000000000000000-mapping.dmp

Download
memory/4376-132-0x0000000000000000-mapping.dmp

Download
memory/4508-152-0x0000000000000000-mapping.dmp

Download
memory/4512-156-0x0000000000000000-mapping.dmp

Download
memory/4624-177-0x0000000000000000-mapping.dmp

Download
memory/4632-179-0x0000000000000000-mapping.dmp

Download
memory/4780-160-0x0000000000000000-mapping.dmp

Download
memory/4808-181-0x0000000000000000-mapping.dmp

Download
memory/4824-163-0x0000000000000000-mapping.dmp

Download
memory/4848-193-0x0000000000000000-mapping.dmp

Download
memory/4916-138-0x0000000000000000-mapping.dmp

Download
memory/4932-186-0x0000000000000000-mapping.dmp

Download
memory/4936-136-0x0000000000000000-mapping.dmp

Download
memory/4952-137-0x0000000000000000-mapping.dmp

Download
memory/5044-133-0x0000000000000000-mapping.dmp

Download
memory/5064-173-0x0000000000000000-mapping.dmp

Download
memory/5072-147-0x0000000000000000-mapping.dmp

Download
memory/5104-143-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads