fedb39ac98c39b688703f1968405d75432d881ff34405d3087a989440735aa8e

Resubmissions

28-10-2021 15:44

211028-s6m55agfbk 10

10-10-2021 17:01

211010-vjzlragafj 8

Analysis

max time kernel
149s
max time network
66s
platform
windows7_x64
resource
win7-en-20210920
submitted
28-10-2021 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iE8JUAJp7.bin.exe
Size

385KB
MD5

a9a0fae4766d9f7cafa1560f5f62e46f
SHA1

d582608dc07bd9f771334cdb60626755997dd56c
SHA256

f70966e32d18a1e2ed51ebdcc6b985d8f7613febf0680639076c71ebeab6a350
SHA512

5c2f89a16c5291d509f41bd5f12d18a386892738cfd5fb5cbd2156c52d46f28abde5f199461fe9a8bf3aa3f7e4644fe66c3ad48c3b114b792efdbf421468856b

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Kills process with taskkill 58 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1084	taskkill.exe
1824	taskkill.exe
924	taskkill.exe
1072	taskkill.exe
1664	taskkill.exe
1104	taskkill.exe
1836	taskkill.exe
1064	taskkill.exe
1196	taskkill.exe
1704	taskkill.exe
1584	taskkill.exe
1672	taskkill.exe
676	taskkill.exe
1764	taskkill.exe
932	taskkill.exe
1680	taskkill.exe
1656	taskkill.exe
568	taskkill.exe
1628	taskkill.exe
1832	taskkill.exe
1388	taskkill.exe
980	taskkill.exe
2016	taskkill.exe
1752	taskkill.exe
1288	taskkill.exe
1896	taskkill.exe
240	taskkill.exe
1940	taskkill.exe
1248	taskkill.exe
1000	taskkill.exe
1912	taskkill.exe
536	taskkill.exe
1004	taskkill.exe
1756	taskkill.exe
1692	taskkill.exe
1460	taskkill.exe
1556	taskkill.exe
1172	taskkill.exe
984	taskkill.exe
1588	taskkill.exe
788	taskkill.exe
1576	taskkill.exe
1416	taskkill.exe
1620	taskkill.exe
2044	taskkill.exe
520	taskkill.exe
1596	taskkill.exe
1908	taskkill.exe
1528	taskkill.exe
1768	taskkill.exe
1512	taskkill.exe
1688	taskkill.exe
1668	taskkill.exe
572	taskkill.exe
1508	taskkill.exe
1800	taskkill.exe
1176	taskkill.exe
1996	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1712 reg.exe

pid	process
1712	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

iE8JUAJp7.bin.exe

pid	process
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe
1112	iE8JUAJp7.bin.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

iE8JUAJp7.bin.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1112	iE8JUAJp7.bin.exe
Token: SeDebugPrivilege	1112	iE8JUAJp7.bin.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	572	taskkill.exe
Token: SeDebugPrivilege	1416	taskkill.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	1460	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	536	taskkill.exe
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	1172	taskkill.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	240	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	568	taskkill.exe
Token: SeDebugPrivilege	1248	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	1072	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	788	taskkill.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	1744	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iE8JUAJp7.bin.exe

description	pid	process	target process
PID 1112 wrote to memory of 1756	1112	iE8JUAJp7.bin.exe	taskkill.exe
PID 1112 wrote to memory of 1756	1112	iE8JUAJp7.bin.exe	taskkill.exe
PID 1112 wrote to memory of 1756	1112	iE8JUAJp7.bin.exe	taskkill.exe
PID 1112 wrote to memory of 1756	1112	iE8JUAJp7.bin.exe	taskkill.exe
PID 1112 wrote to memory of 284	1112	iE8JUAJp7.bin.exe	reg.exe
PID 1112 wrote to memory of 284	1112	iE8JUAJp7.bin.exe	reg.exe
PID 1112 wrote to memory of 284	1112	iE8JUAJp7.bin.exe	reg.exe
PID 1112 wrote to memory of 284	1112	iE8JUAJp7.bin.exe	reg.exe
PID 1112 wrote to memory of 1712	1112	iE8JUAJp7.bin.exe	reg.exe
PID 1112 wrote to memory of 1712	1112	iE8JUAJp7.bin.exe	reg.exe
PID 1112 wrote to memory of 1712	1112	iE8JUAJp7.bin.exe	reg.exe
PID 1112 wrote to memory of 1712	1112	iE8JUAJp7.bin.exe	reg.exe
PID 1112 wrote to memory of 288	1112	iE8JUAJp7.bin.exe	schtasks.exe
PID 1112 wrote to memory of 288	1112	iE8JUAJp7.bin.exe	schtasks.exe
PID 1112 wrote to memory of 288	1112	iE8JUAJp7.bin.exe	schtasks.exe
PID 1112 wrote to memory of 288	1112	iE8JUAJp7.bin.exe	schtasks.exe
PID 1112 wrote to memory of 1360	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1360	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1360	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1360	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1080	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1080	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1080	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1080	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1648	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1648	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1648	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1648	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1516	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1516	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1516	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1516	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1464	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1464	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1464	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1464	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1276	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1276	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1276	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1276	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1520	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1520	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1520	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1520	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1068	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1068	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1068	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 1068	1112	iE8JUAJp7.bin.exe	sc.exe
PID 1112 wrote to memory of 544	1112	iE8JUAJp7.bin.exe	netsh.exe
PID 1112 wrote to memory of 544	1112	iE8JUAJp7.bin.exe	netsh.exe
PID 1112 wrote to memory of 544	1112	iE8JUAJp7.bin.exe	netsh.exe
PID 1112 wrote to memory of 544	1112	iE8JUAJp7.bin.exe	netsh.exe
PID 1112 wrote to memory of 1764	1112	iE8JUAJp7.bin.exe	taskkill.exe
PID 1112 wrote to memory of 1764	1112	iE8JUAJp7.bin.exe	taskkill.exe
PID 1112 wrote to memory of 1764	1112	iE8JUAJp7.bin.exe	taskkill.exe
PID 1112 wrote to memory of 1764	1112	iE8JUAJp7.bin.exe	taskkill.exe
PID 1112 wrote to memory of 1668	1112	iE8JUAJp7.bin.exe	taskkill.exe
PID 1112 wrote to memory of 1668	1112	iE8JUAJp7.bin.exe	taskkill.exe
PID 1112 wrote to memory of 1668	1112	iE8JUAJp7.bin.exe	taskkill.exe
PID 1112 wrote to memory of 1668	1112	iE8JUAJp7.bin.exe	taskkill.exe
PID 1112 wrote to memory of 1692	1112	iE8JUAJp7.bin.exe	taskkill.exe
PID 1112 wrote to memory of 1692	1112	iE8JUAJp7.bin.exe	taskkill.exe
PID 1112 wrote to memory of 1692	1112	iE8JUAJp7.bin.exe	taskkill.exe
PID 1112 wrote to memory of 1692	1112	iE8JUAJp7.bin.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\iE8JUAJp7.bin.exe
"C:\Users\Admin\AppData\Local\Temp\iE8JUAJp7.bin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:284
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1712
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:288
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1360
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1080
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:1648
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1516
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1464
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1520
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1276
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:1068
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:544
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:932
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:1084
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1172
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:984
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:240
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1952
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:520
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:1944
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:568
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:788
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/240-94-0x0000000000000000-mapping.dmp

Download
memory/284-56-0x0000000000000000-mapping.dmp

Download
memory/288-58-0x0000000000000000-mapping.dmp

Download
memory/520-98-0x0000000000000000-mapping.dmp

Download
memory/536-85-0x0000000000000000-mapping.dmp

Download
memory/544-67-0x0000000000000000-mapping.dmp

Download
memory/544-82-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/568-110-0x0000000000000000-mapping.dmp

Download
memory/572-72-0x0000000000000000-mapping.dmp

Download
memory/676-121-0x0000000000000000-mapping.dmp

Download
memory/924-86-0x0000000000000000-mapping.dmp

Download
memory/932-74-0x0000000000000000-mapping.dmp

Download
memory/980-83-0x0000000000000000-mapping.dmp

Download
memory/984-93-0x0000000000000000-mapping.dmp

Download
memory/1000-113-0x0000000000000000-mapping.dmp

Download
memory/1004-87-0x0000000000000000-mapping.dmp

Download
memory/1064-91-0x0000000000000000-mapping.dmp

Download
memory/1068-66-0x0000000000000000-mapping.dmp

Download
memory/1080-60-0x0000000000000000-mapping.dmp

Download
memory/1084-81-0x0000000000000000-mapping.dmp

Download
memory/1104-116-0x0000000000000000-mapping.dmp

Download
memory/1112-53-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/1112-68-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/1172-89-0x0000000000000000-mapping.dmp

Download
memory/1176-76-0x0000000000000000-mapping.dmp

Download
memory/1196-104-0x0000000000000000-mapping.dmp

Download
memory/1248-111-0x0000000000000000-mapping.dmp

Download
memory/1276-64-0x0000000000000000-mapping.dmp

Download
memory/1288-88-0x0000000000000000-mapping.dmp

Download
memory/1360-59-0x0000000000000000-mapping.dmp

Download
memory/1388-79-0x0000000000000000-mapping.dmp

Download
memory/1416-73-0x0000000000000000-mapping.dmp

Download
memory/1460-75-0x0000000000000000-mapping.dmp

Download
memory/1464-63-0x0000000000000000-mapping.dmp

Download
memory/1508-101-0x0000000000000000-mapping.dmp

Download
memory/1512-118-0x0000000000000000-mapping.dmp

Download
memory/1516-62-0x0000000000000000-mapping.dmp

Download
memory/1520-65-0x0000000000000000-mapping.dmp

Download
memory/1528-109-0x0000000000000000-mapping.dmp

Download
memory/1556-78-0x0000000000000000-mapping.dmp

Download
memory/1576-102-0x0000000000000000-mapping.dmp

Download
memory/1588-99-0x0000000000000000-mapping.dmp

Download
memory/1596-77-0x0000000000000000-mapping.dmp

Download
memory/1620-92-0x0000000000000000-mapping.dmp

Download
memory/1628-119-0x0000000000000000-mapping.dmp

Download
memory/1648-61-0x0000000000000000-mapping.dmp

Download
memory/1656-108-0x0000000000000000-mapping.dmp

Download
memory/1664-106-0x0000000000000000-mapping.dmp

Download
memory/1668-70-0x0000000000000000-mapping.dmp

Download
memory/1672-115-0x0000000000000000-mapping.dmp

Download
memory/1680-80-0x0000000000000000-mapping.dmp

Download
memory/1692-71-0x0000000000000000-mapping.dmp

Download
memory/1704-117-0x0000000000000000-mapping.dmp

Download
memory/1712-57-0x0000000000000000-mapping.dmp

Download
memory/1744-123-0x00000000022B0000-0x0000000002EFA000-memory.dmp

Filesize
12.3MB

Download
memory/1756-55-0x0000000000000000-mapping.dmp

Download
memory/1764-69-0x0000000000000000-mapping.dmp

Download
memory/1768-120-0x0000000000000000-mapping.dmp

Download
memory/1800-112-0x0000000000000000-mapping.dmp

Download
memory/1824-84-0x0000000000000000-mapping.dmp

Download
memory/1896-90-0x0000000000000000-mapping.dmp

Download
memory/1908-100-0x0000000000000000-mapping.dmp

Download
memory/1912-114-0x0000000000000000-mapping.dmp

Download
memory/1940-107-0x0000000000000000-mapping.dmp

Download
memory/1944-103-0x0000000000000000-mapping.dmp

Download
memory/1952-95-0x0000000000000000-mapping.dmp

Download
memory/1996-105-0x0000000000000000-mapping.dmp

Download
memory/2044-96-0x0000000000000000-mapping.dmp

Download