ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db

Resubmissions

03/08/2023, 10:09

230803-l66h5scg59 9

03/08/2023, 08:13

230803-j4rabscb95 9

03/08/2023, 08:07

230803-jz65zscb64 9

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
03/08/2023, 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
Size

6.1MB
MD5

a0fea954561663f60059420e6c78fa5c
SHA1

d5d37ae269008e9bfddc171c3b05bd3d43a5cd4d
SHA256

ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db
SHA512

bda26b069df556e88a763c3fc77990d13c73b2d314333db60ec8fc06091fd656c235fbd46eb8c2ea5287fcdbbb413cb3a550f2475a4ad95894a67ae5b130df50
SSDEEP

196608:iMa/eLKguAgyc2gcnhcPQwjQwX746VYx:zuAs2guc4FfNx

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Loads dropped DLL 31 IoCs

pid	Process
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1548	sc.exe
3064	sc.exe
2772	sc.exe
1512	sc.exe
2488	sc.exe
3008	sc.exe
3048	sc.exe
1764	sc.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3064	vssadmin.exe

Kills process with taskkill 30 IoCs

evasion

pid	Process
2352	taskkill.exe
880	taskkill.exe
2704	taskkill.exe
2108	taskkill.exe
1948	taskkill.exe
984	taskkill.exe
2736	taskkill.exe
2928	taskkill.exe
1504	taskkill.exe
1484	taskkill.exe
856	taskkill.exe
2356	taskkill.exe
2880	taskkill.exe
268	taskkill.exe
2500	taskkill.exe
2592	taskkill.exe
1760	taskkill.exe
1748	taskkill.exe
2572	taskkill.exe
2204	taskkill.exe
2932	taskkill.exe
2828	taskkill.exe
1328	taskkill.exe
1868	taskkill.exe
2068	taskkill.exe
536	taskkill.exe
2780	taskkill.exe
860	taskkill.exe
2844	taskkill.exe
2496	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	856	taskkill.exe
Token: SeDebugPrivilege	536	taskkill.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeDebugPrivilege	2356	taskkill.exe
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	2204	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	2352	taskkill.exe
Token: SeDebugPrivilege	880	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	2932	taskkill.exe
Token: SeDebugPrivilege	2828	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	2928	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeDebugPrivilege	2496	taskkill.exe
Token: SeDebugPrivilege	268	taskkill.exe
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	1504	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2876	2556	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	29
PID 2556 wrote to memory of 2876	2556	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	29
PID 2556 wrote to memory of 2876	2556	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	29
PID 2556 wrote to memory of 2876	2556	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	29
PID 2876 wrote to memory of 560	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	30
PID 2876 wrote to memory of 560	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	30
PID 2876 wrote to memory of 560	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	30
PID 2876 wrote to memory of 560	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	30
PID 560 wrote to memory of 272	560	cmd.exe	31
PID 560 wrote to memory of 272	560	cmd.exe	31
PID 560 wrote to memory of 272	560	cmd.exe	31
PID 560 wrote to memory of 272	560	cmd.exe	31
PID 272 wrote to memory of 980	272	net.exe	32
PID 272 wrote to memory of 980	272	net.exe	32
PID 272 wrote to memory of 980	272	net.exe	32
PID 272 wrote to memory of 980	272	net.exe	32
PID 2876 wrote to memory of 2804	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	33
PID 2876 wrote to memory of 2804	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	33
PID 2876 wrote to memory of 2804	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	33
PID 2876 wrote to memory of 2804	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	33
PID 2804 wrote to memory of 3064	2804	cmd.exe	34
PID 2804 wrote to memory of 3064	2804	cmd.exe	34
PID 2804 wrote to memory of 3064	2804	cmd.exe	34
PID 2804 wrote to memory of 3064	2804	cmd.exe	34
PID 2876 wrote to memory of 796	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	35
PID 2876 wrote to memory of 796	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	35
PID 2876 wrote to memory of 796	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	35
PID 2876 wrote to memory of 796	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	35
PID 796 wrote to memory of 312	796	cmd.exe	36
PID 796 wrote to memory of 312	796	cmd.exe	36
PID 796 wrote to memory of 312	796	cmd.exe	36
PID 796 wrote to memory of 312	796	cmd.exe	36
PID 312 wrote to memory of 2272	312	net.exe	37
PID 312 wrote to memory of 2272	312	net.exe	37
PID 312 wrote to memory of 2272	312	net.exe	37
PID 312 wrote to memory of 2272	312	net.exe	37
PID 2876 wrote to memory of 2188	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	38
PID 2876 wrote to memory of 2188	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	38
PID 2876 wrote to memory of 2188	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	38
PID 2876 wrote to memory of 2188	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	38
PID 2188 wrote to memory of 2772	2188	cmd.exe	39
PID 2188 wrote to memory of 2772	2188	cmd.exe	39
PID 2188 wrote to memory of 2772	2188	cmd.exe	39
PID 2188 wrote to memory of 2772	2188	cmd.exe	39
PID 2876 wrote to memory of 1980	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	40
PID 2876 wrote to memory of 1980	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	40
PID 2876 wrote to memory of 1980	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	40
PID 2876 wrote to memory of 1980	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	40
PID 1980 wrote to memory of 2396	1980	cmd.exe	41
PID 1980 wrote to memory of 2396	1980	cmd.exe	41
PID 1980 wrote to memory of 2396	1980	cmd.exe	41
PID 1980 wrote to memory of 2396	1980	cmd.exe	41
PID 2396 wrote to memory of 1724	2396	net.exe	42
PID 2396 wrote to memory of 1724	2396	net.exe	42
PID 2396 wrote to memory of 1724	2396	net.exe	42
PID 2396 wrote to memory of 1724	2396	net.exe	42
PID 2876 wrote to memory of 2168	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	43
PID 2876 wrote to memory of 2168	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	43
PID 2876 wrote to memory of 2168	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	43
PID 2876 wrote to memory of 2168	2876	ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe	43
PID 2168 wrote to memory of 1512	2168	cmd.exe	44
PID 2168 wrote to memory of 1512	2168	cmd.exe	44
PID 2168 wrote to memory of 1512	2168	cmd.exe	44
PID 2168 wrote to memory of 1512	2168	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
"C:\Users\Admin\AppData\Local\Temp\ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe
  "C:\Users\Admin\AppData\Local\Temp\ce5cf3b964e636d546bf2c52423296bda06b7fe47e6f8a757f165a3be93c88db.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop svc$ 2> NUL 1> NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\SysWOW64\net.exe
      net stop svc$
      4⤵
      Suspicious use of WriteProcessMemory
      PID:272
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop svc$
        5⤵
        
        PID:980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config svc$ start= disabled 2> NUL 1> NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\sc.exe
      sc config svc$ start= disabled
      4⤵
      Launches sc.exe
      PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop vss 2> NUL 1> NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Windows\SysWOW64\net.exe
      net stop vss
      4⤵
      Suspicious use of WriteProcessMemory
      PID:312
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vss
        5⤵
        
        PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config vss start= disabled 2> NUL 1> NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\SysWOW64\sc.exe
      sc config vss start= disabled
      4⤵
      Launches sc.exe
      PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop sophos 2> NUL 1> NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\SysWOW64\net.exe
      net stop sophos
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sophos
        5⤵
        
        PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config sophos start= disabled 2> NUL 1> NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\SysWOW64\sc.exe
      sc config sophos start= disabled
      4⤵
      Launches sc.exe
      PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop mepocs 2> NUL 1> NUL
    3⤵
    PID:1580
  - - C:\Windows\SysWOW64\net.exe
      net stop mepocs
      4⤵
      PID:1196
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop mepocs
        5⤵
        
        PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config mepocs start= disabled 2> NUL 1> NUL
    3⤵
    PID:2240
  - - C:\Windows\SysWOW64\sc.exe
      sc config mepocs start= disabled
      4⤵
      Launches sc.exe
      PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop backup 2> NUL 1> NUL
    3⤵
    PID:2000
  - - C:\Windows\SysWOW64\net.exe
      net stop backup
      4⤵
      PID:2176
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop backup
        5⤵
        
        PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config backup start= disabled 2> NUL 1> NUL
    3⤵
    PID:1976
  - - C:\Windows\SysWOW64\sc.exe
      sc config backup start= disabled
      4⤵
      Launches sc.exe
      PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop sql 2> NUL 1> NUL
    3⤵
    PID:1860
  - - C:\Windows\SysWOW64\net.exe
      net stop sql
      4⤵
      PID:2056
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sql
        5⤵
        
        PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config sql start= disabled 2> NUL 1> NUL
    3⤵
    PID:3012
  - - C:\Windows\SysWOW64\sc.exe
      sc config sql start= disabled
      4⤵
      Launches sc.exe
      PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop memtas 2> NUL 1> NUL
    3⤵
    PID:1700
  - - C:\Windows\SysWOW64\net.exe
      net stop memtas
      4⤵
      PID:1808
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop memtas
        5⤵
        
        PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config memtas start= disabled 2> NUL 1> NUL
    3⤵
    PID:1712
  - - C:\Windows\SysWOW64\sc.exe
      sc config memtas start= disabled
      4⤵
      Launches sc.exe
      PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop veeam 2> NUL 1> NUL
    3⤵
    PID:2072
  - - C:\Windows\SysWOW64\net.exe
      net stop veeam
      4⤵
      PID:1776
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop veeam
        5⤵
        
        PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config veeam start= disabled 2> NUL 1> NUL
    3⤵
    PID:2668
  - - C:\Windows\SysWOW64\sc.exe
      sc config veeam start= disabled
      4⤵
      Launches sc.exe
      PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im outlook.exe 2> NUL 1> NUL
    3⤵
    PID:2328
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im outlook.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im agntsvc.exe 2> NUL 1> NUL
    3⤵
    PID:1064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im agntsvc.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im infopath.exe 2> NUL 1> NUL
    3⤵
    PID:2464
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im infopath.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im sqbcoreservice.exe 2> NUL 1> NUL
    3⤵
    PID:2088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im sqbcoreservice.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe 2> NUL 1> NUL
    3⤵
    PID:396
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im steam.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im firefox.exe 2> NUL 1> NUL
    3⤵
    PID:2472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im ocomm.exe 2> NUL 1> NUL
    3⤵
    PID:1156
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im ocomm.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im ocssd.exe 2> NUL 1> NUL
    3⤵
    PID:940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im ocssd.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im mydesktopqos.exe 2> NUL 1> NUL
    3⤵
    PID:1972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im mydesktopqos.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im oracle.exe 2> NUL 1> NUL
    3⤵
    PID:2512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im oracle.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im powerpnt.exe 2> NUL 1> NUL
    3⤵
    PID:896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im powerpnt.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im wordpad.exe 2> NUL 1> NUL
    3⤵
    PID:2032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im wordpad.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im synctime.exe 2> NUL 1> NUL
    3⤵
    PID:2492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im synctime.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im sql.exe 2> NUL 1> NUL
    3⤵
    PID:2484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im sql.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im thebat.exe 2> NUL 1> NUL
    3⤵
    PID:2040
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im thebat.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im onenote.exe 2> NUL 1> NUL
    3⤵
    PID:2172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im onenote.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im excel.exe 2> NUL 1> NUL
    3⤵
    PID:280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im excel.exe
      4⤵
      Kills process with taskkill
      PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im visio.exe 2> NUL 1> NUL
    3⤵
    PID:1628
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im visio.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im encsvc.exe 2> NUL 1> NUL
    3⤵
    PID:2908
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im encsvc.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im winword.exe 2> NUL 1> NUL
    3⤵
    PID:2160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im winword.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im mydesktopservice.exe 2> NUL 1> NUL
    3⤵
    PID:2836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im mydesktopservice.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im dbsnmp.exe 2> NUL 1> NUL
    3⤵
    PID:2964
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im dbsnmp.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im isqlplussvc.exe 2> NUL 1> NUL
    3⤵
    PID:2016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im isqlplussvc.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im tbirdconfig.exe 2> NUL 1> NUL
    3⤵
    PID:2044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im tbirdconfig.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im mspub.exe 2> NUL 1> NUL
    3⤵
    PID:2768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im mspub.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im msaccess.exe 2> NUL 1> NUL
    3⤵
    PID:2284
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im msaccess.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im thunderbird.exe 2> NUL 1> NUL
    3⤵
    PID:580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im thunderbird.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im ocautoupds.exe 2> NUL 1> NUL
    3⤵
    PID:1080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im ocautoupds.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im xfssvccon.exe 2> NUL 1> NUL
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im xfssvccon.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im dbeng50.exe 2> NUL 1> NUL
    3⤵
    PID:1036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im dbeng50.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c vssadmin delete shadows /all 2> NUL 1> NUL
    3⤵
    PID:3060
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all
      4⤵
      Interacts with shadow copies
      PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact