272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348

Analysis

max time kernel
99s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
Size

290KB
MD5

5e3f586b0d8690e7a258ddae83549bb0
SHA1

99e811542284dc3f19aa40b58447f2b96026077c
SHA256

272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348
SHA512

68204e3ac3a14f8b97ec6f0c816ce9c777cffbf18e2ad657068eaa87e98329b3bb1442fbd80e161d8f4f35bf862346221c80e7390cf9024a7f9d4f6632e62fc4
SSDEEP

6144:YoQbRB/EpJdbK8/ljQ3sx23NaIHX0EMIkd9qT7InaUPy6YHZb5945IN:Yom/Ep/VQ3VaEXyxXqT7InaH6YHZb5qe

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

yara_rule
aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
1284	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
1576	msmgr.exe

Loads dropped DLL 4 IoCs

pid	Process
2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yorm.txt	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\nmlsvcex.txt	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File opened for modification	C:\Windows\SysWOW64\utama.txt	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\MsPMSNSvs.dll	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\sharelnk.vbs	msmgr.exe
File opened for modification	C:\Windows\SysWOW64\winmsgr.txt	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File opened for modification	C:\Windows\SysWOW64\yorm.txt	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\utama.exe	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\zip.zip	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File opened for modification	C:\Windows\SysWOW64\nmlsvcex.txt	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\utama.txt	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File opened for modification	C:\Windows\SysWOW64\MsPMSNSvs.dll	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\koruptor.html.lnk	WScript.exe
File created	C:\Windows\SysWOW64\history.bat	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\exe.zip	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\winmsgr.txt	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\winmsgr.exe	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\msmgr.exe	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORMS_~2.GIF	cmd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SUBMIS~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RE99D5~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SERVER~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\DISTRI~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\EMAIL_~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SERVER~3.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\TURNON~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LOGSES~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMPRO~1.CER	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\IDENTI~1	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\CREATE~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~2.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LOGTRA~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~4.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\TURNOF~2.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\TURNOF~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\TURNON~2.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ENDED_~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORMS_~3.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DEFAUL~1.PDF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RECDE7~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CRYPTO~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORM_R~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CRYPTO~1.SIG	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSIG~1.PDF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\EMAIL_~2.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SERVER~2.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPU~1.INI	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MYRIAD~1.OTF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf	cmd.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\classes.jsa	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ADOBEU~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LOGTRA~1.EXE	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORMS_~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\STOP_C~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RE1558~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~3.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ADOBEL~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icucnv36.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
700	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	700	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
1576	msmgr.exe
1576	msmgr.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1284	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	26
PID 2044 wrote to memory of 1284	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	26
PID 2044 wrote to memory of 1284	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	26
PID 2044 wrote to memory of 1284	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	26
PID 2044 wrote to memory of 112	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	27
PID 2044 wrote to memory of 112	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	27
PID 2044 wrote to memory of 112	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	27
PID 2044 wrote to memory of 112	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	27
PID 112 wrote to memory of 1800	112	cmd.exe	29
PID 112 wrote to memory of 1800	112	cmd.exe	29
PID 112 wrote to memory of 1800	112	cmd.exe	29
PID 112 wrote to memory of 1800	112	cmd.exe	29
PID 1800 wrote to memory of 1396	1800	net.exe	30
PID 1800 wrote to memory of 1396	1800	net.exe	30
PID 1800 wrote to memory of 1396	1800	net.exe	30
PID 1800 wrote to memory of 1396	1800	net.exe	30
PID 2044 wrote to memory of 1576	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	31
PID 2044 wrote to memory of 1576	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	31
PID 2044 wrote to memory of 1576	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	31
PID 2044 wrote to memory of 1576	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	31
PID 2044 wrote to memory of 1788	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	32
PID 2044 wrote to memory of 1788	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	32
PID 2044 wrote to memory of 1788	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	32
PID 2044 wrote to memory of 1788	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	32
PID 1788 wrote to memory of 1752	1788	cmd.exe	34
PID 1788 wrote to memory of 1752	1788	cmd.exe	34
PID 1788 wrote to memory of 1752	1788	cmd.exe	34
PID 1788 wrote to memory of 1752	1788	cmd.exe	34
PID 1752 wrote to memory of 584	1752	net.exe	35
PID 1752 wrote to memory of 584	1752	net.exe	35
PID 1752 wrote to memory of 584	1752	net.exe	35
PID 1752 wrote to memory of 584	1752	net.exe	35
PID 1576 wrote to memory of 524	1576	msmgr.exe	36
PID 1576 wrote to memory of 524	1576	msmgr.exe	36
PID 1576 wrote to memory of 524	1576	msmgr.exe	36
PID 1576 wrote to memory of 524	1576	msmgr.exe	36
PID 2044 wrote to memory of 1824	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	37
PID 2044 wrote to memory of 1824	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	37
PID 2044 wrote to memory of 1824	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	37
PID 2044 wrote to memory of 1824	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	37
PID 1824 wrote to memory of 1628	1824	cmd.exe	39
PID 1824 wrote to memory of 1628	1824	cmd.exe	39
PID 1824 wrote to memory of 1628	1824	cmd.exe	39
PID 1824 wrote to memory of 1628	1824	cmd.exe	39
PID 1628 wrote to memory of 1568	1628	net.exe	40
PID 1628 wrote to memory of 1568	1628	net.exe	40
PID 1628 wrote to memory of 1568	1628	net.exe	40
PID 1628 wrote to memory of 1568	1628	net.exe	40
PID 2044 wrote to memory of 836	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	41
PID 2044 wrote to memory of 836	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	41
PID 2044 wrote to memory of 836	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	41
PID 2044 wrote to memory of 836	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	41
PID 836 wrote to memory of 700	836	cmd.exe	43
PID 836 wrote to memory of 700	836	cmd.exe	43
PID 836 wrote to memory of 700	836	cmd.exe	43
PID 836 wrote to memory of 700	836	cmd.exe	43
PID 2044 wrote to memory of 2028	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	45
PID 2044 wrote to memory of 2028	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	45
PID 2044 wrote to memory of 2028	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	45
PID 2044 wrote to memory of 2028	2044	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	45

C:\Users\Admin\AppData\Local\Temp\272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
"C:\Users\Admin\AppData\Local\Temp\272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
  "C:\Users\Admin\272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe"
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C Net Stop ERSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\SysWOW64\net.exe
    Net Stop ERSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 Stop ERSvc
      4⤵
      PID:1396
- C:\Windows\SysWOW64\msmgr.exe
  "C:\Windows\system32\msmgr.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\system32\sharelnk.vbs"
    3⤵
    - Drops file in System32 directory
    PID:524
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C net stop WmdmPmSN
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\net.exe
    net stop WmdmPmSN
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WmdmPmSN
      4⤵
      PID:584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C net start WmdmPmSN
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\net.exe
    net start WmdmPmSN
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start WmdmPmSN
      4⤵
      PID:1568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /F /IM firefox.exe /T
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM firefox.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\system32\history.bat
  2⤵
  - Drops file in Program Files directory
  PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe

Filesize
32KB

MD5
845cfcb9624f447f48fe5ad09a257dd9

SHA1
2fbef109bffa346d4efbeabd39ce3cbe12aa5d1e

SHA256
d05abe7fe2365a22d0261ae6b53c108fd7fbb9c846ba2b238a6f634e8eaa9e8d

SHA512
5318e670959975f43283405ceab1557215e42cbc125e4fbcca8af829fcf9e21799917f2c049a89aef099b5383d3607391959b37bac83f4bd49f1bcb0b62baa66

Download Submit
C:\Windows\SysWOW64\history.bat

Filesize
111B

MD5
0010ef82c63366ee3485b2a5d5f32ffd

SHA1
79968a1918a7b17747de77df2fae15bee0aef204

SHA256
2a97f8da1fc1a9d2e9b913a73d33efdaf6037e26e3715c70a152ea4c5a1df25c

SHA512
c9ce4a2c2c0a1a64ec0110ca4a6df6cb49dcb1de54aba8d6df009bc82a6cfd56d84fbcdc27119b78c786a82a4caad0159c0b6041e46311105f407ed517ba8481

Download Submit
C:\Windows\SysWOW64\msmgr.exe

Filesize
129KB

MD5
b626aac73d079a115d4352b31f74f6d6

SHA1
1ec899a8dd3a65e47ea1cd8901106e4e2144d26e

SHA256
0fe347abcc1e59f3e106ebd00b4ff14baf329c8fa073f9863129ee7c787e39bd

SHA512
ec350f1159b9d407a88e632d7f717a675992ef52c3b5e489a46453479dd3761902339a3e83d11547d53ebcd3a6a5cb640ad76b2dc954289416e1af4ef4f5f45a

Download Submit
C:\Windows\SysWOW64\msmgr.exe

Filesize
129KB

MD5
b626aac73d079a115d4352b31f74f6d6

SHA1
1ec899a8dd3a65e47ea1cd8901106e4e2144d26e

SHA256
0fe347abcc1e59f3e106ebd00b4ff14baf329c8fa073f9863129ee7c787e39bd

SHA512
ec350f1159b9d407a88e632d7f717a675992ef52c3b5e489a46453479dd3761902339a3e83d11547d53ebcd3a6a5cb640ad76b2dc954289416e1af4ef4f5f45a

Download Submit
C:\Windows\SysWOW64\sharelnk.vbs

Filesize
980B

MD5
ab9fbdace210fbbc7285f9b4f23dbb7e

SHA1
f7d1c47b78a543b67a638f39dd3152b069300ef9

SHA256
e3d4b1683d780a28633367a6a3febd0ec1e46a57b2baff81429fb4c0d09e4ed6

SHA512
f743188a56af8fc5ff3f5d6184c6af31ab65be08203830083e990901488434b07d8d4d0c63319a1ee2c04a45b09ae57212506dbafee249aa49a3bf84970150fb

Download Submit
\Users\Admin\272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe

Filesize
32KB

MD5
845cfcb9624f447f48fe5ad09a257dd9

SHA1
2fbef109bffa346d4efbeabd39ce3cbe12aa5d1e

SHA256
d05abe7fe2365a22d0261ae6b53c108fd7fbb9c846ba2b238a6f634e8eaa9e8d

SHA512
5318e670959975f43283405ceab1557215e42cbc125e4fbcca8af829fcf9e21799917f2c049a89aef099b5383d3607391959b37bac83f4bd49f1bcb0b62baa66

Download Submit
\Users\Admin\272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe

Filesize
32KB

MD5
845cfcb9624f447f48fe5ad09a257dd9

SHA1
2fbef109bffa346d4efbeabd39ce3cbe12aa5d1e

SHA256
d05abe7fe2365a22d0261ae6b53c108fd7fbb9c846ba2b238a6f634e8eaa9e8d

SHA512
5318e670959975f43283405ceab1557215e42cbc125e4fbcca8af829fcf9e21799917f2c049a89aef099b5383d3607391959b37bac83f4bd49f1bcb0b62baa66

Download Submit
\Windows\SysWOW64\msmgr.exe

Filesize
129KB

MD5
b626aac73d079a115d4352b31f74f6d6

SHA1
1ec899a8dd3a65e47ea1cd8901106e4e2144d26e

SHA256
0fe347abcc1e59f3e106ebd00b4ff14baf329c8fa073f9863129ee7c787e39bd

SHA512
ec350f1159b9d407a88e632d7f717a675992ef52c3b5e489a46453479dd3761902339a3e83d11547d53ebcd3a6a5cb640ad76b2dc954289416e1af4ef4f5f45a

Download Submit
\Windows\SysWOW64\msmgr.exe

Filesize
129KB

MD5
b626aac73d079a115d4352b31f74f6d6

SHA1
1ec899a8dd3a65e47ea1cd8901106e4e2144d26e

SHA256
0fe347abcc1e59f3e106ebd00b4ff14baf329c8fa073f9863129ee7c787e39bd

SHA512
ec350f1159b9d407a88e632d7f717a675992ef52c3b5e489a46453479dd3761902339a3e83d11547d53ebcd3a6a5cb640ad76b2dc954289416e1af4ef4f5f45a

Download Submit
memory/112-59-0x0000000000000000-mapping.dmp

Download
memory/524-70-0x0000000000000000-mapping.dmp

Download
memory/584-69-0x0000000000000000-mapping.dmp

Download
memory/700-78-0x0000000000000000-mapping.dmp

Download
memory/836-77-0x0000000000000000-mapping.dmp

Download
memory/1284-57-0x0000000000000000-mapping.dmp

Download
memory/1396-61-0x0000000000000000-mapping.dmp

Download
memory/1568-76-0x0000000000000000-mapping.dmp

Download
memory/1576-64-0x0000000000000000-mapping.dmp

Download
memory/1628-75-0x0000000000000000-mapping.dmp

Download
memory/1752-68-0x0000000000000000-mapping.dmp

Download
memory/1788-66-0x0000000000000000-mapping.dmp

Download
memory/1800-60-0x0000000000000000-mapping.dmp

Download
memory/1824-74-0x0000000000000000-mapping.dmp

Download
memory/2028-79-0x0000000000000000-mapping.dmp

Download
memory/2044-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download