Analysis
-
max time kernel
110s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
24-11-2021 09:36
Static task
static1
Behavioral task
behavioral1
Sample
emk21h33.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
emk21h33.exe
Resource
win10-en-20211104
General
-
Target
emk21h33.exe
-
Size
385KB
-
MD5
54e8989f3595120a430b8d31ca87c0cc
-
SHA1
30609e95e4396e7c409b21e0d96c185736cc01d2
-
SHA256
74a717027b6212236662bf641c473b8f8cd65486898b02940357bb9b3035f38a
-
SHA512
56d102a6723e79e0fd4bf5756cf5fe01c36d62a9f1c0575750c288ab9b6de119ce6675a5156c80f4ed3274962981a14095ced7c9d213f9e9216b4a655ab66206
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.
description flow ioc HTTP URL 30 http://live.sysinternals.com/PsExec.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\BackupBlock.tiff => C:\Users\Admin\Pictures\BackupBlock.tiff.xot5ik emk21h33.exe File opened for modification C:\Users\Admin\Pictures\BackupBlock.tiff.xot5ik emk21h33.exe File renamed C:\Users\Admin\Pictures\RestoreShow.tif => C:\Users\Admin\Pictures\RestoreShow.tif.xot5ik emk21h33.exe File opened for modification C:\Users\Admin\Pictures\RestoreShow.tif.xot5ik emk21h33.exe File renamed C:\Users\Admin\Pictures\NewMove.tif => C:\Users\Admin\Pictures\NewMove.tif.xot5ik emk21h33.exe File opened for modification C:\Users\Admin\Pictures\NewMove.tif.xot5ik emk21h33.exe File opened for modification C:\Users\Admin\Pictures\ShowStart.tiff emk21h33.exe File renamed C:\Users\Admin\Pictures\ShowStart.tiff => C:\Users\Admin\Pictures\ShowStart.tiff.xot5ik emk21h33.exe File opened for modification C:\Users\Admin\Pictures\BackupBlock.tiff emk21h33.exe File opened for modification C:\Users\Admin\Pictures\ConvertToUpdate.tiff emk21h33.exe File renamed C:\Users\Admin\Pictures\ConvertToUpdate.tiff => C:\Users\Admin\Pictures\ConvertToUpdate.tiff.xot5ik emk21h33.exe File opened for modification C:\Users\Admin\Pictures\ConvertToUpdate.tiff.xot5ik emk21h33.exe File opened for modification C:\Users\Admin\Pictures\ShowStart.tiff.xot5ik emk21h33.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: emk21h33.exe File opened (read-only) \??\H: emk21h33.exe File opened (read-only) \??\Q: emk21h33.exe File opened (read-only) \??\R: emk21h33.exe File opened (read-only) \??\Y: emk21h33.exe File opened (read-only) \??\A: emk21h33.exe File opened (read-only) \??\S: emk21h33.exe File opened (read-only) \??\F: emk21h33.exe File opened (read-only) \??\K: emk21h33.exe File opened (read-only) \??\V: emk21h33.exe File opened (read-only) \??\N: emk21h33.exe File opened (read-only) \??\W: emk21h33.exe File opened (read-only) \??\E: emk21h33.exe File opened (read-only) \??\Z: emk21h33.exe File opened (read-only) \??\B: emk21h33.exe File opened (read-only) \??\M: emk21h33.exe File opened (read-only) \??\L: emk21h33.exe File opened (read-only) \??\X: emk21h33.exe File opened (read-only) \??\T: emk21h33.exe File opened (read-only) \??\U: emk21h33.exe File opened (read-only) \??\I: emk21h33.exe File opened (read-only) \??\O: emk21h33.exe File opened (read-only) \??\P: emk21h33.exe File opened (read-only) \??\J: emk21h33.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!" emk21h33.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!!!" emk21h33.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File created C:\Windows\rescache\_merged\1974107395\1506172464.pri netsh.exe File created C:\Windows\rescache\_merged\1301087654\4010849688.pri netsh.exe File created C:\Windows\rescache\_merged\1476457207\263943467.pri netsh.exe File created C:\Windows\rescache\_merged\2878165772\3312292840.pri netsh.exe File created C:\Windows\rescache\_merged\81479705\2284120958.pri netsh.exe File created C:\Windows\rescache\_merged\4272278488\927794230.pri netsh.exe File created C:\Windows\rescache\_merged\4185669309\1880392806.pri netsh.exe File created C:\Windows\rescache\_merged\3623239459\11870838.pri netsh.exe File created C:\Windows\rescache\_merged\423379043\2764571712.pri netsh.exe File created C:\Windows\rescache\_merged\2483382631\1144272743.pri netsh.exe File created C:\Windows\rescache\_merged\3418783148\4223189797.pri netsh.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri netsh.exe File created C:\Windows\rescache\_merged\4183903823\1195458082.pri netsh.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 58 IoCs
pid Process 1724 taskkill.exe 3800 taskkill.exe 1912 taskkill.exe 2400 taskkill.exe 1200 taskkill.exe 2904 taskkill.exe 1100 taskkill.exe 2164 taskkill.exe 2816 taskkill.exe 3144 taskkill.exe 2504 taskkill.exe 900 taskkill.exe 3168 taskkill.exe 1168 taskkill.exe 2112 taskkill.exe 432 taskkill.exe 3592 taskkill.exe 2344 taskkill.exe 1288 taskkill.exe 1608 taskkill.exe 1860 taskkill.exe 1224 taskkill.exe 1232 taskkill.exe 600 taskkill.exe 3824 taskkill.exe 4008 taskkill.exe 1460 taskkill.exe 3616 taskkill.exe 508 taskkill.exe 3604 taskkill.exe 2368 taskkill.exe 3128 taskkill.exe 1116 taskkill.exe 4032 taskkill.exe 3488 taskkill.exe 756 taskkill.exe 3316 taskkill.exe 2136 taskkill.exe 3132 taskkill.exe 3932 taskkill.exe 2428 taskkill.exe 1616 taskkill.exe 3332 taskkill.exe 3912 taskkill.exe 3496 taskkill.exe 3780 taskkill.exe 1888 taskkill.exe 2020 taskkill.exe 1032 taskkill.exe 2092 taskkill.exe 1004 taskkill.exe 2432 taskkill.exe 2172 taskkill.exe 2316 taskkill.exe 1336 taskkill.exe 2928 taskkill.exe 2020 taskkill.exe 3104 taskkill.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4020 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2400 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe 2688 emk21h33.exe -
Suspicious use of AdjustPrivilegeToken 59 IoCs
description pid Process Token: SeDebugPrivilege 2688 emk21h33.exe Token: SeDebugPrivilege 2688 emk21h33.exe Token: SeDebugPrivilege 3932 taskkill.exe Token: SeDebugPrivilege 1224 taskkill.exe Token: SeDebugPrivilege 1004 taskkill.exe Token: SeDebugPrivilege 1116 taskkill.exe Token: SeDebugPrivilege 2020 taskkill.exe Token: SeDebugPrivilege 4008 taskkill.exe Token: SeDebugPrivilege 1860 taskkill.exe Token: SeDebugPrivilege 2164 taskkill.exe Token: SeDebugPrivilege 3780 taskkill.exe Token: SeDebugPrivilege 3496 taskkill.exe Token: SeDebugPrivilege 3168 taskkill.exe Token: SeDebugPrivilege 3592 taskkill.exe Token: SeDebugPrivilege 4032 taskkill.exe Token: SeDebugPrivilege 1724 taskkill.exe Token: SeDebugPrivilege 3800 taskkill.exe Token: SeDebugPrivilege 1032 taskkill.exe Token: SeDebugPrivilege 2316 taskkill.exe Token: SeDebugPrivilege 3144 taskkill.exe Token: SeDebugPrivilege 508 taskkill.exe Token: SeDebugPrivilege 1168 taskkill.exe Token: SeDebugPrivilege 3488 taskkill.exe Token: SeDebugPrivilege 1288 taskkill.exe Token: SeDebugPrivilege 1912 taskkill.exe Token: SeDebugPrivilege 756 taskkill.exe Token: SeDebugPrivilege 2344 taskkill.exe Token: SeDebugPrivilege 2112 taskkill.exe Token: SeDebugPrivilege 2400 taskkill.exe Token: SeDebugPrivilege 2816 taskkill.exe Token: SeDebugPrivilege 3104 taskkill.exe Token: SeDebugPrivilege 1336 taskkill.exe Token: SeDebugPrivilege 3912 taskkill.exe Token: SeDebugPrivilege 2432 taskkill.exe Token: SeDebugPrivilege 3604 taskkill.exe Token: SeDebugPrivilege 2368 taskkill.exe Token: SeDebugPrivilege 2172 taskkill.exe Token: SeDebugPrivilege 3128 taskkill.exe Token: SeDebugPrivilege 900 taskkill.exe Token: SeDebugPrivilege 2428 taskkill.exe Token: SeDebugPrivilege 1460 taskkill.exe Token: SeDebugPrivilege 3316 taskkill.exe Token: SeDebugPrivilege 1232 taskkill.exe Token: SeDebugPrivilege 432 taskkill.exe Token: SeDebugPrivilege 600 taskkill.exe Token: SeDebugPrivilege 1616 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe Token: SeDebugPrivilege 2092 taskkill.exe Token: SeDebugPrivilege 2904 taskkill.exe Token: SeDebugPrivilege 2928 taskkill.exe Token: SeDebugPrivilege 2136 taskkill.exe Token: SeDebugPrivilege 3824 taskkill.exe Token: SeDebugPrivilege 3332 taskkill.exe Token: SeDebugPrivilege 2020 taskkill.exe Token: SeDebugPrivilege 3616 taskkill.exe Token: SeDebugPrivilege 3132 taskkill.exe Token: SeDebugPrivilege 1100 taskkill.exe Token: SeDebugPrivilege 1888 taskkill.exe Token: SeDebugPrivilege 2288 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2688 emk21h33.exe 2688 emk21h33.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2688 emk21h33.exe 2688 emk21h33.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2688 wrote to memory of 3932 2688 emk21h33.exe 69 PID 2688 wrote to memory of 3932 2688 emk21h33.exe 69 PID 2688 wrote to memory of 3932 2688 emk21h33.exe 69 PID 2688 wrote to memory of 896 2688 emk21h33.exe 71 PID 2688 wrote to memory of 896 2688 emk21h33.exe 71 PID 2688 wrote to memory of 896 2688 emk21h33.exe 71 PID 2688 wrote to memory of 4020 2688 emk21h33.exe 73 PID 2688 wrote to memory of 4020 2688 emk21h33.exe 73 PID 2688 wrote to memory of 4020 2688 emk21h33.exe 73 PID 2688 wrote to memory of 636 2688 emk21h33.exe 75 PID 2688 wrote to memory of 636 2688 emk21h33.exe 75 PID 2688 wrote to memory of 636 2688 emk21h33.exe 75 PID 2688 wrote to memory of 3920 2688 emk21h33.exe 77 PID 2688 wrote to memory of 3920 2688 emk21h33.exe 77 PID 2688 wrote to memory of 3920 2688 emk21h33.exe 77 PID 2688 wrote to memory of 3332 2688 emk21h33.exe 78 PID 2688 wrote to memory of 3332 2688 emk21h33.exe 78 PID 2688 wrote to memory of 3332 2688 emk21h33.exe 78 PID 2688 wrote to memory of 3712 2688 emk21h33.exe 82 PID 2688 wrote to memory of 3712 2688 emk21h33.exe 82 PID 2688 wrote to memory of 3712 2688 emk21h33.exe 82 PID 2688 wrote to memory of 2584 2688 emk21h33.exe 83 PID 2688 wrote to memory of 2584 2688 emk21h33.exe 83 PID 2688 wrote to memory of 2584 2688 emk21h33.exe 83 PID 2688 wrote to memory of 1708 2688 emk21h33.exe 87 PID 2688 wrote to memory of 1708 2688 emk21h33.exe 87 PID 2688 wrote to memory of 1708 2688 emk21h33.exe 87 PID 2688 wrote to memory of 668 2688 emk21h33.exe 86 PID 2688 wrote to memory of 668 2688 emk21h33.exe 86 PID 2688 wrote to memory of 668 2688 emk21h33.exe 86 PID 2688 wrote to memory of 400 2688 emk21h33.exe 89 PID 2688 wrote to memory of 400 2688 emk21h33.exe 89 PID 2688 wrote to memory of 400 2688 emk21h33.exe 89 PID 2688 wrote to memory of 1072 2688 emk21h33.exe 90 PID 2688 wrote to memory of 1072 2688 emk21h33.exe 90 PID 2688 wrote to memory of 1072 2688 emk21h33.exe 90 PID 2688 wrote to memory of 1224 2688 emk21h33.exe 93 PID 2688 wrote to memory of 1224 2688 emk21h33.exe 93 PID 2688 wrote to memory of 1224 2688 emk21h33.exe 93 PID 2688 wrote to memory of 1116 2688 emk21h33.exe 98 PID 2688 wrote to memory of 1116 2688 emk21h33.exe 98 PID 2688 wrote to memory of 1116 2688 emk21h33.exe 98 PID 2688 wrote to memory of 1004 2688 emk21h33.exe 97 PID 2688 wrote to memory of 1004 2688 emk21h33.exe 97 PID 2688 wrote to memory of 1004 2688 emk21h33.exe 97 PID 2688 wrote to memory of 4008 2688 emk21h33.exe 99 PID 2688 wrote to memory of 4008 2688 emk21h33.exe 99 PID 2688 wrote to memory of 4008 2688 emk21h33.exe 99 PID 2688 wrote to memory of 2020 2688 emk21h33.exe 103 PID 2688 wrote to memory of 2020 2688 emk21h33.exe 103 PID 2688 wrote to memory of 2020 2688 emk21h33.exe 103 PID 2688 wrote to memory of 1860 2688 emk21h33.exe 102 PID 2688 wrote to memory of 1860 2688 emk21h33.exe 102 PID 2688 wrote to memory of 1860 2688 emk21h33.exe 102 PID 2688 wrote to memory of 2164 2688 emk21h33.exe 105 PID 2688 wrote to memory of 2164 2688 emk21h33.exe 105 PID 2688 wrote to memory of 2164 2688 emk21h33.exe 105 PID 2688 wrote to memory of 3496 2688 emk21h33.exe 107 PID 2688 wrote to memory of 3496 2688 emk21h33.exe 107 PID 2688 wrote to memory of 3496 2688 emk21h33.exe 107 PID 2688 wrote to memory of 3780 2688 emk21h33.exe 108 PID 2688 wrote to memory of 3780 2688 emk21h33.exe 108 PID 2688 wrote to memory of 3780 2688 emk21h33.exe 108 PID 2688 wrote to memory of 3168 2688 emk21h33.exe 111 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" emk21h33.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" emk21h33.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!!!" emk21h33.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!" emk21h33.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\emk21h33.exe"C:\Users\Admin\AppData\Local\Temp\emk21h33.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2688 -
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3932
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵PID:896
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
PID:4020
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵PID:636
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config Dnscache start= auto2⤵PID:3920
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config FDResPub start= auto2⤵PID:3332
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵PID:3712
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SSDPSRV start= auto2⤵PID:2584
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵PID:668
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵PID:1708
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵PID:400
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config upnphost start= auto2⤵PID:1072
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3780
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3592
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3800
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3144
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:508
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:756
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
PID:2504
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3104
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3912
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
PID:1200
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3128
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3316
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1232
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:432
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:600
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqld.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ragent.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM rmngr.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3824
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysql.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3332
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM rphost.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM vmwp.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3616
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sql.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM oracle.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM 1cv8.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
- Drops file in Windows directory
PID:1056
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵PID:2720
-
-
C:\Windows\SysWOW64\arp.exe"arp" -a2⤵PID:1572
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵PID:896
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵PID:2920
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵PID:3156
-
-
C:\Windows\SysWOW64\arp.exe"arp" -a2⤵PID:3916
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\Инструкция.txt2⤵PID:2012
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵PID:1288
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:2400
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:4004
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\emk21h33.exe2⤵PID:2920
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122881⤵PID:3748