74a717027b6212236662bf641c473b8f8cd65486898b02940357bb9b3035f38a

Resubmissions

24-11-2021 13:59

211124-rahp4acghj 10

24-11-2021 09:36

211124-lk29laccgq 8

Analysis

max time kernel
117s
max time network
158s
platform
windows10_x64
resource
win10-en-20211104
submitted
24-11-2021 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

emk21h33.exe
Size

385KB
MD5

54e8989f3595120a430b8d31ca87c0cc
SHA1

30609e95e4396e7c409b21e0d96c185736cc01d2
SHA256

74a717027b6212236662bf641c473b8f8cd65486898b02940357bb9b3035f38a
SHA512

56d102a6723e79e0fd4bf5756cf5fe01c36d62a9f1c0575750c288ab9b6de119ce6675a5156c80f4ed3274962981a14095ced7c9d213f9e9216b4a655ab66206

Score

8^/10

evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Downloads PsExec from SysInternals website 1 IoCs

Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

description	flow	ioc
HTTP URL	30	http://live.sysinternals.com/PsExec.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\BlockReset.tiff.xot5ik	emk21h33.exe
File renamed	C:\Users\Admin\Pictures\MergeWatch.crw => C:\Users\Admin\Pictures\MergeWatch.crw.xot5ik	emk21h33.exe
File opened for modification	C:\Users\Admin\Pictures\MergeWatch.crw.xot5ik	emk21h33.exe
File renamed	C:\Users\Admin\Pictures\TraceHide.tif => C:\Users\Admin\Pictures\TraceHide.tif.xot5ik	emk21h33.exe
File opened for modification	C:\Users\Admin\Pictures\TraceHide.tif.xot5ik	emk21h33.exe
File opened for modification	C:\Users\Admin\Pictures\BlockReset.tiff	emk21h33.exe
File renamed	C:\Users\Admin\Pictures\BlockReset.tiff => C:\Users\Admin\Pictures\BlockReset.tiff.xot5ik	emk21h33.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	emk21h33.exe
File opened (read-only)	\??\O:	emk21h33.exe
File opened (read-only)	\??\H:	emk21h33.exe
File opened (read-only)	\??\V:	emk21h33.exe
File opened (read-only)	\??\N:	emk21h33.exe
File opened (read-only)	\??\Q:	emk21h33.exe
File opened (read-only)	\??\W:	emk21h33.exe
File opened (read-only)	\??\P:	emk21h33.exe
File opened (read-only)	\??\S:	emk21h33.exe
File opened (read-only)	\??\L:	emk21h33.exe
File opened (read-only)	\??\T:	emk21h33.exe
File opened (read-only)	\??\U:	emk21h33.exe
File opened (read-only)	\??\I:	emk21h33.exe
File opened (read-only)	\??\A:	emk21h33.exe
File opened (read-only)	\??\F:	emk21h33.exe
File opened (read-only)	\??\J:	emk21h33.exe
File opened (read-only)	\??\X:	emk21h33.exe
File opened (read-only)	\??\B:	emk21h33.exe
File opened (read-only)	\??\M:	emk21h33.exe
File opened (read-only)	\??\R:	emk21h33.exe
File opened (read-only)	\??\Y:	emk21h33.exe
File opened (read-only)	\??\G:	emk21h33.exe
File opened (read-only)	\??\K:	emk21h33.exe
File opened (read-only)	\??\Z:	emk21h33.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!!!"	emk21h33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	emk21h33.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\423379043\2764571712.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2483382631\1144272743.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1476457207\263943467.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3418783148\4223189797.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4185669309\1880392806.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1974107395\1506172464.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2878165772\3312292840.pri	netsh.exe
File created	C:\Windows\rescache\_merged\81479705\2284120958.pri	netsh.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

pid	Process
1924	taskkill.exe
3144	taskkill.exe
1996	taskkill.exe
3212	taskkill.exe
3956	taskkill.exe
1692	taskkill.exe
832	taskkill.exe
1376	taskkill.exe
3392	taskkill.exe
2448	taskkill.exe
4068	taskkill.exe
2192	taskkill.exe
1936	taskkill.exe
2704	taskkill.exe
2424	taskkill.exe
1976	taskkill.exe
1692	taskkill.exe
2220	taskkill.exe
1592	taskkill.exe
2716	taskkill.exe
1688	taskkill.exe
1052	taskkill.exe
964	taskkill.exe
1852	taskkill.exe
3488	taskkill.exe
1520	taskkill.exe
3016	taskkill.exe
2136	taskkill.exe
908	taskkill.exe
404	taskkill.exe
1736	taskkill.exe
3780	taskkill.exe
3592	taskkill.exe
608	taskkill.exe
3060	taskkill.exe
968	taskkill.exe
864	taskkill.exe
2840	taskkill.exe
3512	taskkill.exe
304	taskkill.exe
3896	taskkill.exe
1140	taskkill.exe
612	taskkill.exe
1944	taskkill.exe
3496	taskkill.exe
1844	taskkill.exe
3224	taskkill.exe
2176	taskkill.exe
596	taskkill.exe
3440	taskkill.exe
2952	taskkill.exe
2884	taskkill.exe
396	taskkill.exe
932	taskkill.exe
1996	taskkill.exe
4068	taskkill.exe
3304	taskkill.exe
3500	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2408	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3696	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe
1876	emk21h33.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeDebugPrivilege	1876	emk21h33.exe
Token: SeDebugPrivilege	1876	emk21h33.exe
Token: SeDebugPrivilege	832	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	3496	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	2136	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	3392	taskkill.exe
Token: SeDebugPrivilege	3780	taskkill.exe
Token: SeDebugPrivilege	908	taskkill.exe
Token: SeDebugPrivilege	3512	taskkill.exe
Token: SeDebugPrivilege	2176	taskkill.exe
Token: SeDebugPrivilege	4068	taskkill.exe
Token: SeDebugPrivilege	304	taskkill.exe
Token: SeDebugPrivilege	1052	taskkill.exe
Token: SeDebugPrivilege	596	taskkill.exe
Token: SeDebugPrivilege	3592	taskkill.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	404	taskkill.exe
Token: SeDebugPrivilege	608	taskkill.exe
Token: SeDebugPrivilege	3144	taskkill.exe
Token: SeDebugPrivilege	3440	taskkill.exe
Token: SeDebugPrivilege	2220	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	3896	taskkill.exe
Token: SeDebugPrivilege	3060	taskkill.exe
Token: SeDebugPrivilege	2448	taskkill.exe
Token: SeDebugPrivilege	964	taskkill.exe
Token: SeDebugPrivilege	2952	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	3016	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe
Token: SeDebugPrivilege	3304	taskkill.exe
Token: SeDebugPrivilege	1852	taskkill.exe
Token: SeDebugPrivilege	1140	taskkill.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	612	taskkill.exe
Token: SeDebugPrivilege	3488	taskkill.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeDebugPrivilege	3224	taskkill.exe
Token: SeDebugPrivilege	2884	taskkill.exe
Token: SeDebugPrivilege	3500	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	3212	taskkill.exe
Token: SeDebugPrivilege	3956	taskkill.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	864	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	4068	taskkill.exe
Token: SeDebugPrivilege	1192	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1876	emk21h33.exe
1876	emk21h33.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1876	emk21h33.exe
1876	emk21h33.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 832	1876	emk21h33.exe	69
PID 1876 wrote to memory of 832	1876	emk21h33.exe	69
PID 1876 wrote to memory of 832	1876	emk21h33.exe	69
PID 1876 wrote to memory of 1408	1876	emk21h33.exe	71
PID 1876 wrote to memory of 1408	1876	emk21h33.exe	71
PID 1876 wrote to memory of 1408	1876	emk21h33.exe	71
PID 1876 wrote to memory of 2408	1876	emk21h33.exe	73
PID 1876 wrote to memory of 2408	1876	emk21h33.exe	73
PID 1876 wrote to memory of 2408	1876	emk21h33.exe	73
PID 1876 wrote to memory of 656	1876	emk21h33.exe	75
PID 1876 wrote to memory of 656	1876	emk21h33.exe	75
PID 1876 wrote to memory of 656	1876	emk21h33.exe	75
PID 1876 wrote to memory of 3924	1876	emk21h33.exe	77
PID 1876 wrote to memory of 3924	1876	emk21h33.exe	77
PID 1876 wrote to memory of 3924	1876	emk21h33.exe	77
PID 1876 wrote to memory of 3444	1876	emk21h33.exe	79
PID 1876 wrote to memory of 3444	1876	emk21h33.exe	79
PID 1876 wrote to memory of 3444	1876	emk21h33.exe	79
PID 1876 wrote to memory of 3576	1876	emk21h33.exe	80
PID 1876 wrote to memory of 3576	1876	emk21h33.exe	80
PID 1876 wrote to memory of 3576	1876	emk21h33.exe	80
PID 1876 wrote to memory of 980	1876	emk21h33.exe	83
PID 1876 wrote to memory of 980	1876	emk21h33.exe	83
PID 1876 wrote to memory of 980	1876	emk21h33.exe	83
PID 1876 wrote to memory of 1928	1876	emk21h33.exe	88
PID 1876 wrote to memory of 1928	1876	emk21h33.exe	88
PID 1876 wrote to memory of 1928	1876	emk21h33.exe	88
PID 1876 wrote to memory of 1840	1876	emk21h33.exe	85
PID 1876 wrote to memory of 1840	1876	emk21h33.exe	85
PID 1876 wrote to memory of 1840	1876	emk21h33.exe	85
PID 1876 wrote to memory of 2180	1876	emk21h33.exe	89
PID 1876 wrote to memory of 2180	1876	emk21h33.exe	89
PID 1876 wrote to memory of 2180	1876	emk21h33.exe	89
PID 1876 wrote to memory of 2948	1876	emk21h33.exe	91
PID 1876 wrote to memory of 2948	1876	emk21h33.exe	91
PID 1876 wrote to memory of 2948	1876	emk21h33.exe	91
PID 1876 wrote to memory of 396	1876	emk21h33.exe	93
PID 1876 wrote to memory of 396	1876	emk21h33.exe	93
PID 1876 wrote to memory of 396	1876	emk21h33.exe	93
PID 1876 wrote to memory of 3496	1876	emk21h33.exe	98
PID 1876 wrote to memory of 3496	1876	emk21h33.exe	98
PID 1876 wrote to memory of 3496	1876	emk21h33.exe	98
PID 1876 wrote to memory of 1692	1876	emk21h33.exe	97
PID 1876 wrote to memory of 1692	1876	emk21h33.exe	97
PID 1876 wrote to memory of 1692	1876	emk21h33.exe	97
PID 1876 wrote to memory of 1376	1876	emk21h33.exe	99
PID 1876 wrote to memory of 1376	1876	emk21h33.exe	99
PID 1876 wrote to memory of 1376	1876	emk21h33.exe	99
PID 1876 wrote to memory of 2716	1876	emk21h33.exe	101
PID 1876 wrote to memory of 2716	1876	emk21h33.exe	101
PID 1876 wrote to memory of 2716	1876	emk21h33.exe	101
PID 1876 wrote to memory of 1688	1876	emk21h33.exe	103
PID 1876 wrote to memory of 1688	1876	emk21h33.exe	103
PID 1876 wrote to memory of 1688	1876	emk21h33.exe	103
PID 1876 wrote to memory of 2136	1876	emk21h33.exe	105
PID 1876 wrote to memory of 2136	1876	emk21h33.exe	105
PID 1876 wrote to memory of 2136	1876	emk21h33.exe	105
PID 1876 wrote to memory of 2840	1876	emk21h33.exe	107
PID 1876 wrote to memory of 2840	1876	emk21h33.exe	107
PID 1876 wrote to memory of 2840	1876	emk21h33.exe	107
PID 1876 wrote to memory of 3392	1876	emk21h33.exe	109
PID 1876 wrote to memory of 3392	1876	emk21h33.exe	109
PID 1876 wrote to memory of 3392	1876	emk21h33.exe	109
PID 1876 wrote to memory of 3780	1876	emk21h33.exe	111

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	emk21h33.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	emk21h33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!!!"	emk21h33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	emk21h33.exe

C:\Users\Admin\AppData\Local\Temp\emk21h33.exe
"C:\Users\Admin\AppData\Local\Temp\emk21h33.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1876
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:832
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1408
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:2408
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:656
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:3924
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:3444
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:3576
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:980
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1840
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1928
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:2180
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:2948
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3496
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3392
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3780
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3512
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4068
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:304
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3592
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:596
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:608
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:404
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3144
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3896
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:1996
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:964
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3304
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:612
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3488
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:932
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3224
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3500
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3212
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3956
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4068
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  - Drops file in Windows directory
  PID:3608
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1940
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:1212
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:400
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:2340
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1688
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:3472
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\Инструкция.txt
  2⤵
  PID:2284
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:1280
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:3696
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\emk21h33.exe
  2⤵
  PID:2724

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
1⤵
PID:4032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-188-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/1192-191-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/1192-189-0x00000000067F0000-0x00000000067F1000-memory.dmp

Filesize
4KB

Download
memory/1192-187-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/1192-199-0x0000000008170000-0x0000000008171000-memory.dmp

Filesize
4KB

Download
memory/1192-200-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/1192-190-0x0000000006E60000-0x0000000006E61000-memory.dmp

Filesize
4KB

Download
memory/1192-198-0x0000000008020000-0x0000000008021000-memory.dmp

Filesize
4KB

Download
memory/1192-197-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/1192-196-0x00000000067A2000-0x00000000067A3000-memory.dmp

Filesize
4KB

Download
memory/1192-210-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/1192-195-0x00000000067A0000-0x00000000067A1000-memory.dmp

Filesize
4KB

Download
memory/1192-194-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/1192-212-0x00000000067A4000-0x00000000067A6000-memory.dmp

Filesize
8KB

Download
memory/1192-211-0x00000000067A3000-0x00000000067A4000-memory.dmp

Filesize
4KB

Download
memory/1876-126-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/1876-213-0x0000000008460000-0x0000000008461000-memory.dmp

Filesize
4KB

Download
memory/1876-120-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/1876-121-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/1876-118-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1876-214-0x0000000007F60000-0x0000000007F61000-memory.dmp

Filesize
4KB

Download