f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327

Resubmissions

18-01-2022 15:29

220118-sw4ecsbhen 10

29-10-2021 12:17

211029-pf6m1aaabk 10

Analysis

max time kernel
150s
max time network
73s
platform
windows7_x64
resource
win7-en-20210920
submitted
29-10-2021 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
Size

133KB
MD5

91b493febfc1d782875a09fc076a8850
SHA1

ed12cfbedc90181e869fce19dc820063fa6b3179
SHA256

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327
SHA512

bb66d4d65f8f615e6af06f4815233a2a7430373e4afc5a61a2b2fff0dc9a6a002b4edad0db2a336b24dabd65efc3b74f57985836d137f25eb87a1901cfa4b9a9

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1644	taskkill.exe
1268	taskkill.exe
1832	taskkill.exe
1656	taskkill.exe
1836	taskkill.exe
664	taskkill.exe
1900	taskkill.exe
1668	taskkill.exe
1480	taskkill.exe
1820	taskkill.exe
984	taskkill.exe
1920	taskkill.exe
1388	taskkill.exe
1960	taskkill.exe
1064	taskkill.exe
1664	taskkill.exe
1768	taskkill.exe
520	taskkill.exe
1660	taskkill.exe
1416	taskkill.exe
840	taskkill.exe
1700	taskkill.exe
1604	taskkill.exe
1528	taskkill.exe
556	taskkill.exe
1068	taskkill.exe
1576	taskkill.exe
924	taskkill.exe
1692	taskkill.exe
1176	taskkill.exe
1248	taskkill.exe
568	taskkill.exe
1676	taskkill.exe
1672	taskkill.exe
1172	taskkill.exe
1740	taskkill.exe
536	taskkill.exe
964	taskkill.exe
2016	taskkill.exe
1756	taskkill.exe
1780	taskkill.exe
600	taskkill.exe
1520	taskkill.exe
1616	taskkill.exe
268	taskkill.exe
1648	taskkill.exe
1824	taskkill.exe
1628	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1712 reg.exe

pid	process
1712	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

pid	process
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeDebugPrivilege	1700	taskkill.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	600	taskkill.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	1172	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	536	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	664	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	520	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	1416	taskkill.exe
Token: SeDebugPrivilege	556	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	1068	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	1248	taskkill.exe
Token: SeDebugPrivilege	964	taskkill.exe
Token: SeDebugPrivilege	268	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	568	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	1588	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe

description	pid	process	target process
PID 1112 wrote to memory of 1756	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1756	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1756	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 284	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	reg.exe
PID 1112 wrote to memory of 284	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	reg.exe
PID 1112 wrote to memory of 284	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	reg.exe
PID 1112 wrote to memory of 1712	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	reg.exe
PID 1112 wrote to memory of 1712	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	reg.exe
PID 1112 wrote to memory of 1712	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	reg.exe
PID 1112 wrote to memory of 288	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	schtasks.exe
PID 1112 wrote to memory of 288	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	schtasks.exe
PID 1112 wrote to memory of 288	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	schtasks.exe
PID 1112 wrote to memory of 1360	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1360	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1360	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1080	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1080	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1080	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 820	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 820	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 820	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1052	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	netsh.exe
PID 1112 wrote to memory of 1052	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	netsh.exe
PID 1112 wrote to memory of 1052	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	netsh.exe
PID 1112 wrote to memory of 1944	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1944	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1944	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1496	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1496	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1496	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1456	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1456	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1456	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1760	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1760	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1760	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1996	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1996	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1996	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	sc.exe
PID 1112 wrote to memory of 1920	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1920	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1920	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1676	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1676	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1676	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1268	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1268	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1268	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1700	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1700	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1700	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 932	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	netsh.exe
PID 1112 wrote to memory of 932	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	netsh.exe
PID 1112 wrote to memory of 932	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	netsh.exe
PID 1112 wrote to memory of 1064	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1064	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1064	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1780	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1780	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1780	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1832	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1832	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 1832	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe
PID 1112 wrote to memory of 600	1112	f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe
"C:\Users\Admin\AppData\Local\Temp\f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\system32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:284
- C:\Windows\system32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1712
- C:\Windows\system32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:288
- C:\Windows\system32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1360
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1080
- C:\Windows\system32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:820
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1052
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1944
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1496
- C:\Windows\system32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1456
- C:\Windows\system32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1760
- C:\Windows\system32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:1996
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:932
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:600
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:1764
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1172
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:664
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:520
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:964
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:984
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:268
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:568
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-116-0x0000000000000000-mapping.dmp

Download
memory/284-57-0x0000000000000000-mapping.dmp

Download
memory/288-59-0x0000000000000000-mapping.dmp

Download
memory/520-98-0x0000000000000000-mapping.dmp

Download
memory/536-94-0x0000000000000000-mapping.dmp

Download
memory/556-106-0x0000000000000000-mapping.dmp

Download
memory/568-118-0x0000000000000000-mapping.dmp

Download
memory/600-79-0x0000000000000000-mapping.dmp

Download
memory/664-96-0x0000000000000000-mapping.dmp

Download
memory/820-62-0x0000000000000000-mapping.dmp

Download
memory/840-111-0x0000000000000000-mapping.dmp

Download
memory/924-89-0x0000000000000000-mapping.dmp

Download
memory/932-74-0x0000000000000000-mapping.dmp

Download
memory/964-114-0x0000000000000000-mapping.dmp

Download
memory/984-115-0x0000000000000000-mapping.dmp

Download
memory/1052-63-0x0000000000000000-mapping.dmp

Download
memory/1052-70-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/1064-75-0x0000000000000000-mapping.dmp

Download
memory/1068-110-0x0000000000000000-mapping.dmp

Download
memory/1080-61-0x0000000000000000-mapping.dmp

Download
memory/1112-53-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1112-55-0x0000000001F50000-0x0000000001F52000-memory.dmp

Filesize
8KB

Download
memory/1172-92-0x0000000000000000-mapping.dmp

Download
memory/1176-99-0x0000000000000000-mapping.dmp

Download
memory/1248-113-0x0000000000000000-mapping.dmp

Download
memory/1268-72-0x0000000000000000-mapping.dmp

Download
memory/1360-60-0x0000000000000000-mapping.dmp

Download
memory/1388-102-0x0000000000000000-mapping.dmp

Download
memory/1416-105-0x0000000000000000-mapping.dmp

Download
memory/1456-66-0x0000000000000000-mapping.dmp

Download
memory/1480-107-0x0000000000000000-mapping.dmp

Download
memory/1496-65-0x0000000000000000-mapping.dmp

Download
memory/1520-87-0x0000000000000000-mapping.dmp

Download
memory/1528-91-0x0000000000000000-mapping.dmp

Download
memory/1576-82-0x0000000000000000-mapping.dmp

Download
memory/1588-122-0x000007FEEA6D0000-0x000007FEEB22D000-memory.dmp

Filesize
11.4MB

Download
memory/1588-127-0x00000000029AB000-0x00000000029CA000-memory.dmp

Filesize
124KB

Download
memory/1588-126-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/1588-125-0x00000000029A4000-0x00000000029A7000-memory.dmp

Filesize
12KB

Download
memory/1588-123-0x00000000029A0000-0x00000000029A2000-memory.dmp

Filesize
8KB

Download
memory/1588-120-0x0000000000000000-mapping.dmp

Download
memory/1588-124-0x00000000029A2000-0x00000000029A4000-memory.dmp

Filesize
8KB

Download
memory/1604-83-0x0000000000000000-mapping.dmp

Download
memory/1616-109-0x0000000000000000-mapping.dmp

Download
memory/1628-117-0x0000000000000000-mapping.dmp

Download
memory/1644-104-0x0000000000000000-mapping.dmp

Download
memory/1648-84-0x0000000000000000-mapping.dmp

Download
memory/1656-81-0x0000000000000000-mapping.dmp

Download
memory/1660-103-0x0000000000000000-mapping.dmp

Download
memory/1664-85-0x0000000000000000-mapping.dmp

Download
memory/1668-101-0x0000000000000000-mapping.dmp

Download
memory/1672-88-0x0000000000000000-mapping.dmp

Download
memory/1676-71-0x0000000000000000-mapping.dmp

Download
memory/1692-97-0x0000000000000000-mapping.dmp

Download
memory/1700-73-0x0000000000000000-mapping.dmp

Download
memory/1712-58-0x0000000000000000-mapping.dmp

Download
memory/1740-93-0x0000000000000000-mapping.dmp

Download
memory/1756-56-0x0000000000000000-mapping.dmp

Download
memory/1760-67-0x0000000000000000-mapping.dmp

Download
memory/1764-80-0x0000000000000000-mapping.dmp

Download
memory/1768-90-0x0000000000000000-mapping.dmp

Download
memory/1780-76-0x0000000000000000-mapping.dmp

Download
memory/1820-108-0x0000000000000000-mapping.dmp

Download
memory/1824-95-0x0000000000000000-mapping.dmp

Download
memory/1832-78-0x0000000000000000-mapping.dmp

Download
memory/1836-86-0x0000000000000000-mapping.dmp

Download
memory/1900-100-0x0000000000000000-mapping.dmp

Download
memory/1920-69-0x0000000000000000-mapping.dmp

Download
memory/1944-64-0x0000000000000000-mapping.dmp

Download
memory/1960-112-0x0000000000000000-mapping.dmp

Download
memory/1996-68-0x0000000000000000-mapping.dmp

Download
memory/2016-119-0x0000000000000000-mapping.dmp

Download