hxxps://www[.]paste[.]sh/LuZegZGp#PjGg23jCk5avbDWW7IKIf4Ni

Analysis

max time kernel
164s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2023 15:32

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://www.paste.sh/LuZegZGp#PjGg23jCk5avbDWW7IKIf4Ni

Score

7^/10

discovery persistence

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.bat	cmd.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
216	takeown.exe
2548	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3052	taskkill.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "247"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133297615921371866"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
428	PING.EXE
840	PING.EXE
536	PING.EXE
5028	PING.EXE
4928	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2280	chrome.exe
2280	chrome.exe
5096	mspaint.exe
5096	mspaint.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2280	chrome.exe
2280	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeCreatePagefilePrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeCreatePagefilePrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeCreatePagefilePrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeCreatePagefilePrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeCreatePagefilePrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeCreatePagefilePrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeCreatePagefilePrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeCreatePagefilePrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeCreatePagefilePrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeCreatePagefilePrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeCreatePagefilePrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeCreatePagefilePrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeCreatePagefilePrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeCreatePagefilePrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeCreatePagefilePrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeCreatePagefilePrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeCreatePagefilePrivilege	2280	chrome.exe
Token: SeTakeOwnershipPrivilege	216	takeown.exe
Token: SeTakeOwnershipPrivilege	2548	takeown.exe
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeShutdownPrivilege	2240	shutdown.exe
Token: SeRemoteShutdownPrivilege	2240	shutdown.exe
Token: SeShutdownPrivilege	4472	shutdown.exe
Token: SeRemoteShutdownPrivilege	4472	shutdown.exe
Token: SeShutdownPrivilege	2604	shutdown.exe
Token: SeRemoteShutdownPrivilege	2604	shutdown.exe
Token: SeShutdownPrivilege	3552	shutdown.exe
Token: SeRemoteShutdownPrivilege	3552	shutdown.exe
Token: SeShutdownPrivilege	3244	shutdown.exe
Token: SeRemoteShutdownPrivilege	3244	shutdown.exe
Token: SeShutdownPrivilege	3116	shutdown.exe
Token: SeRemoteShutdownPrivilege	3116	shutdown.exe
Token: SeShutdownPrivilege	404	shutdown.exe
Token: SeRemoteShutdownPrivilege	404	shutdown.exe
Token: SeShutdownPrivilege	4752	shutdown.exe
Token: SeRemoteShutdownPrivilege	4752	shutdown.exe
Token: SeShutdownPrivilege	1592	shutdown.exe
Token: SeRemoteShutdownPrivilege	1592	shutdown.exe
Token: SeShutdownPrivilege	1160	shutdown.exe
Token: SeRemoteShutdownPrivilege	1160	shutdown.exe
Token: SeShutdownPrivilege	4612	shutdown.exe
Token: SeRemoteShutdownPrivilege	4612	shutdown.exe
Token: SeShutdownPrivilege	1056	shutdown.exe
Token: SeRemoteShutdownPrivilege	1056	shutdown.exe
Token: SeShutdownPrivilege	2304	shutdown.exe
Token: SeRemoteShutdownPrivilege	2304	shutdown.exe
Token: SeShutdownPrivilege	3428	shutdown.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5096	mspaint.exe
5096	mspaint.exe
5096	mspaint.exe
5096	mspaint.exe
4624	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2244	2280	chrome.exe	87
PID 2280 wrote to memory of 2244	2280	chrome.exe	87
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 1952	2280	chrome.exe	88
PID 2280 wrote to memory of 232	2280	chrome.exe	89
PID 2280 wrote to memory of 232	2280	chrome.exe	89
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90
PID 2280 wrote to memory of 3600	2280	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://www.paste.sh/LuZegZGp#PjGg23jCk5avbDWW7IKIf4Ni
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe48c9758,0x7fffe48c9768,0x7fffe48c9778
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1796,i,15453109036996847402,15393161178849443692,131072 /prefetch:2
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1796,i,15453109036996847402,15393161178849443692,131072 /prefetch:8
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1796,i,15453109036996847402,15393161178849443692,131072 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1796,i,15453109036996847402,15393161178849443692,131072 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3180 --field-trial-handle=1796,i,15453109036996847402,15393161178849443692,131072 /prefetch:1
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1796,i,15453109036996847402,15393161178849443692,131072 /prefetch:8
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1796,i,15453109036996847402,15393161178849443692,131072 /prefetch:8
  2⤵
  PID:1416

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:484

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\.bat
1⤵
PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\.bat" "
1⤵
- Drops startup file
PID:4468
- C:\Windows\system32\cmd.exe
  cmd /c "C:\Users\Admin\Desktop\.bat"
  2⤵
  PID:3616
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\bootmgr.efi
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:216
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\System32\winlogon.exe
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /B "C:\Users\Admin\Desktop\*"
  2⤵
  PID:5036
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 4
  2⤵
  - Runs ping.exe
  PID:428
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 4
  2⤵
  - Runs ping.exe
  PID:840
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 4
  2⤵
  - Runs ping.exe
  PID:536
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 11
  2⤵
  - Runs ping.exe
  PID:5028
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 4
  2⤵
  - Runs ping.exe
  PID:4928
- C:\Windows\system32\mspaint.exe
  mspaint.exe
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5096
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3552
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3244
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3116
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:404
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4752
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4612
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1056
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3428
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4140
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1576
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1856
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1360
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2992
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4212
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4004
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:788
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3840
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2640
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1892
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:5064
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1348
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3224
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1136
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3016
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2232
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4332
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4116
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3500
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1768
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4056
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:948
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:996
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2704
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4508
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:5036
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1096
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2816
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4356
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:232
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4984
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2520
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:840
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3360
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:536
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3484
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4708
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4760
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1784
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3108
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4492
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3576
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2104
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4624
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3452
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3592
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3568
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2736
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1988
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2356
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3472
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3896
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3396
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4420
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3796
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3760
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4976
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4300
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1028
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1736
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4388
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3228
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2908
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3004
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2360
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3104
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4100
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1412
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4128
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:644
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3888
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3304
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3264
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3432
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:756
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2424
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3828
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1616
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1540
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:436
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2832
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2268
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4612
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1364
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1344
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1732
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3380
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4040
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3928
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1360
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4176
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2472
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4124
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1740
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3288
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4340
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4012
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2224
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2480
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:984
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4772
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3028
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1092
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2000
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3856
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4888
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4332
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1844
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:236
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4868
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4184
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4108
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:216
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2004
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1448
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2548
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:5116
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4720
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1400
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1280
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2948
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:212
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1204
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4132
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4444
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4988
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2688
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:988
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4896
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:5016
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3076
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1108
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1964
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3052
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3992
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4620
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3460
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3520
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3620
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3188
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3240
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2260
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3256
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4656
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2584
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4784
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3792
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3920
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3560
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3868
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1180
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1152
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1812
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3272
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:456
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4544
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4684
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4828
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4932
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4712
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4916
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4744
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:540
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1516
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1496
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:652
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1408
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4552
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3432
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:756
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2424
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3828
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1616
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4580
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1196
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4152
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1660
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:720
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:560
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2268
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4612
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1364
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1344
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1732
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3380
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1856
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3912
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3096
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4064
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3752
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1984
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3212
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:484
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3368
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2980
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:5088
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4824
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:472
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3224
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4220
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3408
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3012
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3764
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4804
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4116
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3500
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1768
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4056
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:948
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1936
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2704
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4508
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:5036
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:428
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2816
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4356
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:232
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4984
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2520
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:840
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3360
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:536
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3484
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4708
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:4376
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1424
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:1968
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:3944
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 60 /c "Draw something."
  2⤵
  PID:2676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:708

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3914055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
3853943943406d6040b27177b7ede41f

SHA1
03661e9958217a7cf668b85c7957a5b853e87e57

SHA256
e46e77bdb88ba2ca577cf4c24777ada1b355975583a5d6dcdef7b90f7dce6810

SHA512
0f0c94369937c1d9f9e5bee28a08e99c5f15032aaf723eb9ed066117f54a1fca46b9c098ea5fe0c97ba34413e13ccc33e10362c5fc76a22b37f42d635ad14a2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
89e74ed023c71bd2882509a952abb67b

SHA1
4fd41afb145754ec8c7ed859f6752dcbc45e8f15

SHA256
85b0805ae06ab9bc510440ada67a480b046f6b6c7011a1ee1453d9881872c14d

SHA512
0bdf820ef01f6ec634b4615b84292d1468caaf09eda874edff77806358143c1b1c90013b1c3de057041d965ca4a1f73ec7268f025d7ce094f00b90db282bd986

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
f47bf5ed1dffd62c1fddfdd839604318

SHA1
aa606262bae68fc1c3cd3c468579b14166fd3dcc

SHA256
ad403281924ba4792876ada4ae295298fc7d8ca9f19bf3ea1349f727760becb6

SHA512
03cddaff4c5645ed7f3d3a83e5741668644fd9cc968e73252d5373de6747b15562ab348dcf8e268dadf6065d2d249a6cc69af298daec62c7c13a54488b466f29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3d9198fb461eed5b4d7847ac311e909c

SHA1
9d56f3e996ed301963ea5bfdf174c62a8f226e68

SHA256
e86e7f30a826b8b3099371d3d22b921b9007d7d7abfca55210711c47faef1492

SHA512
e290a625618c1d44a2a6a65df386f86088a402c638f1ad197dcf9071f9e79ef1d3ffb149243d414535aa2fa0dba276b45edb5cdc1ba544b20377725193959c7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
eb0b613a803cb875c75a43103e95ff77

SHA1
3d08ed4d33c310142cf8f316a7bc337ae28a2f33

SHA256
aa80c21d738bd1f7add699e0e5ea828b412e853300519be6990b49762ea4f81c

SHA512
2c56e828c0e9240560c74bfc2fc5cbfed5b5174295954b853aefc433bb3a8020b71ebe502a963eab914cfa816e809f80db4957fcf6c63f67aeca084aab97ba99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
0339620e507fb8c8f9d886bb1f46d1bf

SHA1
83245d4d57006045ccce52302b72d530eb81f3e6

SHA256
8bc26ca042f84aa89f56320dcdecb241e87e003bc5872d51f7093995886f01b4

SHA512
5e3671939ce0d08073a59ab481018a6061e5c9ef4b2111b2898b0d77e104b852f9d0072ac91dda1f0bed1721c2a1cc0293cb4805a9f351953d4cac7f2526e252

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
bd443fcda81c4b89b72c2bf2aa904e5b

SHA1
35e56977722fecab6d3a9383c207c2cd15d334aa

SHA256
6fe99a9c09d64265d43cda59d5c360ada88e2906130a631f242609ca2b3469b3

SHA512
70221cc390b76ebfc23e4a98e1d2e81add07f6c3849af123575a2c142d5afa5305e5d2530e11c149cfa6baa29f7bb17ef350f780164a979d6ee6893e9b16c7b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Desktop\.bat

Filesize
5KB

MD5
603d94058286c64f8d1b6b1f56c16c2d

SHA1
b18f4a38be49407ddc05a6dce075e759df334979

SHA256
44a90b9b2ea3eda3de4ba66218437948de931c6d94bd195e59f6641160d1d164

SHA512
cafc04fc73b79ebb20996eaabae2e7a5614295032cba0f29c4c00dfee4dbba8d29acb36fb993ec112fcb53719824ee2ce1031e3412719fc2f42d57d54543d9bd

Download Submit