Analysis
-
max time kernel
30s -
max time network
6s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
29/10/2024, 22:02
Static task
static1
General
-
Target
UNBANSEVER.exe
-
Size
759KB
-
MD5
30485bfd2d58f3448b9b235a05b9951c
-
SHA1
183f316fd6201eba056ccb5a8efdece5df6c8f8c
-
SHA256
d7ffc0a81cd1bae45ba220a4fcbbae32b10cb2f7449e996bf3c57ee9b7f3c47b
-
SHA512
758c110ca487b2195581370fbc3021a35ebfaeffc202deedf84be2c1813de6e5cb43947ee3ee4fb2e57e369897b06bd802065a85a9dbd8138444e8471b6af252
-
SSDEEP
12288:Ink7Er1/zPdaGn+SjpV8VnHGM/GCA9KP91jUwMf+VO:U6idxLj8BHGyRx9d3W+VO
Malware Config
Extracted
xworm
185.84.161.64:7000
45.141.26.194:7000
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral1/files/0x00290000000450bf-19.dat family_xworm behavioral1/memory/4520-30-0x0000000000F70000-0x0000000000F88000-memory.dmp family_xworm behavioral1/files/0x00280000000450c2-47.dat family_xworm behavioral1/memory/2556-60-0x00000000008A0000-0x00000000008C2000-memory.dmp family_xworm -
Xworm family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation UNBANSEVER.exe Key value queried \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation UNBANSEVER.exe -
Executes dropped EXE 4 IoCs
pid Process 1616 UNBANSEVER.exe 4520 svchost.exe 1968 UNBANSEVER.exe 2556 SecurityHealthSystray.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 36 IoCs
pid Process 548 taskkill.exe 4636 taskkill.exe 4132 taskkill.exe 4972 taskkill.exe 3472 taskkill.exe 4692 taskkill.exe 2856 taskkill.exe 4380 taskkill.exe 3996 taskkill.exe 3668 taskkill.exe 4188 taskkill.exe 3060 taskkill.exe 4500 taskkill.exe 4588 taskkill.exe 700 taskkill.exe 1360 taskkill.exe 1984 taskkill.exe 1120 taskkill.exe 3996 taskkill.exe 3668 taskkill.exe 4764 taskkill.exe 412 taskkill.exe 3812 taskkill.exe 944 taskkill.exe 1808 taskkill.exe 4156 taskkill.exe 1252 taskkill.exe 328 taskkill.exe 4056 taskkill.exe 436 taskkill.exe 2684 taskkill.exe 1984 taskkill.exe 4184 taskkill.exe 4696 taskkill.exe 2672 taskkill.exe 4020 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 4520 svchost.exe Token: SeDebugPrivilege 2556 SecurityHealthSystray.exe Token: SeDebugPrivilege 1984 taskkill.exe Token: SeDebugPrivilege 3996 taskkill.exe Token: SeDebugPrivilege 3668 taskkill.exe Token: SeDebugPrivilege 4184 taskkill.exe Token: SeDebugPrivilege 4696 taskkill.exe Token: SeDebugPrivilege 1252 taskkill.exe Token: SeDebugPrivilege 4692 taskkill.exe Token: SeDebugPrivilege 4764 taskkill.exe Token: SeDebugPrivilege 2672 taskkill.exe Token: SeDebugPrivilege 2856 taskkill.exe Token: SeDebugPrivilege 1120 taskkill.exe Token: SeDebugPrivilege 4188 taskkill.exe Token: SeDebugPrivilege 548 taskkill.exe Token: SeDebugPrivilege 412 taskkill.exe Token: SeDebugPrivilege 328 taskkill.exe Token: SeDebugPrivilege 3060 taskkill.exe Token: SeDebugPrivilege 700 taskkill.exe Token: SeDebugPrivilege 4056 taskkill.exe Token: SeDebugPrivilege 4020 taskkill.exe Token: SeDebugPrivilege 1360 taskkill.exe Token: SeDebugPrivilege 4500 taskkill.exe Token: SeDebugPrivilege 4588 taskkill.exe Token: SeDebugPrivilege 4380 taskkill.exe Token: SeDebugPrivilege 944 taskkill.exe Token: SeDebugPrivilege 436 taskkill.exe Token: SeDebugPrivilege 4636 taskkill.exe Token: SeDebugPrivilege 2684 taskkill.exe Token: SeDebugPrivilege 4132 taskkill.exe Token: SeDebugPrivilege 4156 taskkill.exe Token: SeDebugPrivilege 4972 taskkill.exe Token: SeDebugPrivilege 3472 taskkill.exe Token: SeDebugPrivilege 1984 taskkill.exe Token: SeDebugPrivilege 3996 taskkill.exe Token: SeDebugPrivilege 3668 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1296 wrote to memory of 1616 1296 UNBANSEVER.exe 82 PID 1296 wrote to memory of 1616 1296 UNBANSEVER.exe 82 PID 1296 wrote to memory of 4520 1296 UNBANSEVER.exe 83 PID 1296 wrote to memory of 4520 1296 UNBANSEVER.exe 83 PID 1616 wrote to memory of 1968 1616 UNBANSEVER.exe 84 PID 1616 wrote to memory of 1968 1616 UNBANSEVER.exe 84 PID 1616 wrote to memory of 2556 1616 UNBANSEVER.exe 86 PID 1616 wrote to memory of 2556 1616 UNBANSEVER.exe 86 PID 1968 wrote to memory of 2164 1968 UNBANSEVER.exe 88 PID 1968 wrote to memory of 2164 1968 UNBANSEVER.exe 88 PID 2164 wrote to memory of 1984 2164 cmd.exe 89 PID 2164 wrote to memory of 1984 2164 cmd.exe 89 PID 1968 wrote to memory of 4984 1968 UNBANSEVER.exe 91 PID 1968 wrote to memory of 4984 1968 UNBANSEVER.exe 91 PID 4984 wrote to memory of 3996 4984 cmd.exe 92 PID 4984 wrote to memory of 3996 4984 cmd.exe 92 PID 1968 wrote to memory of 2372 1968 UNBANSEVER.exe 93 PID 1968 wrote to memory of 2372 1968 UNBANSEVER.exe 93 PID 2372 wrote to memory of 3668 2372 cmd.exe 94 PID 2372 wrote to memory of 3668 2372 cmd.exe 94 PID 1968 wrote to memory of 2108 1968 UNBANSEVER.exe 95 PID 1968 wrote to memory of 2108 1968 UNBANSEVER.exe 95 PID 2108 wrote to memory of 4184 2108 cmd.exe 96 PID 2108 wrote to memory of 4184 2108 cmd.exe 96 PID 1968 wrote to memory of 1852 1968 UNBANSEVER.exe 97 PID 1968 wrote to memory of 1852 1968 UNBANSEVER.exe 97 PID 1852 wrote to memory of 4696 1852 cmd.exe 98 PID 1852 wrote to memory of 4696 1852 cmd.exe 98 PID 1968 wrote to memory of 2636 1968 UNBANSEVER.exe 99 PID 1968 wrote to memory of 2636 1968 UNBANSEVER.exe 99 PID 2636 wrote to memory of 1252 2636 cmd.exe 100 PID 2636 wrote to memory of 1252 2636 cmd.exe 100 PID 1968 wrote to memory of 4720 1968 UNBANSEVER.exe 101 PID 1968 wrote to memory of 4720 1968 UNBANSEVER.exe 101 PID 4720 wrote to memory of 4692 4720 cmd.exe 102 PID 4720 wrote to memory of 4692 4720 cmd.exe 102 PID 1968 wrote to memory of 456 1968 UNBANSEVER.exe 103 PID 1968 wrote to memory of 456 1968 UNBANSEVER.exe 103 PID 456 wrote to memory of 4764 456 cmd.exe 104 PID 456 wrote to memory of 4764 456 cmd.exe 104 PID 1968 wrote to memory of 2132 1968 UNBANSEVER.exe 105 PID 1968 wrote to memory of 2132 1968 UNBANSEVER.exe 105 PID 2132 wrote to memory of 2672 2132 cmd.exe 106 PID 2132 wrote to memory of 2672 2132 cmd.exe 106 PID 1968 wrote to memory of 900 1968 UNBANSEVER.exe 107 PID 1968 wrote to memory of 900 1968 UNBANSEVER.exe 107 PID 900 wrote to memory of 2856 900 cmd.exe 108 PID 900 wrote to memory of 2856 900 cmd.exe 108 PID 1968 wrote to memory of 2512 1968 UNBANSEVER.exe 109 PID 1968 wrote to memory of 2512 1968 UNBANSEVER.exe 109 PID 2512 wrote to memory of 1120 2512 cmd.exe 110 PID 2512 wrote to memory of 1120 2512 cmd.exe 110 PID 1968 wrote to memory of 3924 1968 UNBANSEVER.exe 111 PID 1968 wrote to memory of 3924 1968 UNBANSEVER.exe 111 PID 3924 wrote to memory of 4188 3924 cmd.exe 112 PID 3924 wrote to memory of 4188 3924 cmd.exe 112 PID 1968 wrote to memory of 4528 1968 UNBANSEVER.exe 113 PID 1968 wrote to memory of 4528 1968 UNBANSEVER.exe 113 PID 4528 wrote to memory of 548 4528 cmd.exe 114 PID 4528 wrote to memory of 548 4528 cmd.exe 114 PID 1968 wrote to memory of 4596 1968 UNBANSEVER.exe 115 PID 1968 wrote to memory of 4596 1968 UNBANSEVER.exe 115 PID 4596 wrote to memory of 412 4596 cmd.exe 116 PID 4596 wrote to memory of 412 4596 cmd.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\UNBANSEVER.exe"C:\Users\Admin\AppData\Local\Temp\UNBANSEVER.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Roaming\UNBANSEVER.exe"C:\Users\Admin\AppData\Roaming\UNBANSEVER.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\ProgramData\UNBANSEVER.exe"C:\ProgramData\UNBANSEVER.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im RiotClienServices.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\system32\taskkill.exetaskkill /f /im RiotClienServices.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im vgtray.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\system32\taskkill.exetaskkill /f /im vgtray.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\system32\taskkill.exetaskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\system32\taskkill.exetaskkill /f /im KsDumperClient.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\system32\taskkill.exetaskkill /f /im KsDumper.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\taskkill.exetaskkill /f /im ProcessHacker.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\system32\taskkill.exetaskkill /f /im idaq.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\system32\taskkill.exetaskkill /f /im idaq64.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\system32\taskkill.exetaskkill /f /im Wireshark.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\system32\taskkill.exetaskkill /f /im Fiddler.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\system32\taskkill.exetaskkill /f /im FiddlerEverywhere.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&14⤵PID:2344
-
C:\Windows\system32\taskkill.exetaskkill /f /im Xenos64.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&14⤵PID:1256
-
C:\Windows\system32\taskkill.exetaskkill /f /im Xenos.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&14⤵PID:2884
-
C:\Windows\system32\taskkill.exetaskkill /f /im Xenos32.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&14⤵PID:3808
-
C:\Windows\system32\taskkill.exetaskkill /f /im de4dot.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&14⤵PID:4552
-
C:\Windows\system32\taskkill.exetaskkill /f /im Cheat Engine.exe5⤵
- Kills process with taskkill
PID:3812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&14⤵PID:644
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-x86_64.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&14⤵PID:996
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&14⤵PID:968
-
C:\Windows\system32\taskkill.exetaskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&14⤵PID:3240
-
C:\Windows\system32\taskkill.exetaskkill /f /im MugenJinFuu-i386.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&14⤵PID:4760
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-x86_64.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&14⤵PID:1496
-
C:\Windows\system32\taskkill.exetaskkill /f /im cheatengine-i386.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&14⤵PID:4916
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTP Debugger Windows Service (32 bit).exe5⤵
- Kills process with taskkill
PID:1808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&14⤵PID:1480
-
C:\Windows\system32\taskkill.exetaskkill /f /im KsDumper.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&14⤵PID:1296
-
C:\Windows\system32\taskkill.exetaskkill /f /im OllyDbg.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&14⤵PID:1132
-
C:\Windows\system32\taskkill.exetaskkill /f /im x64dbg.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&14⤵PID:1468
-
C:\Windows\system32\taskkill.exetaskkill /f /im x32dbg.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&14⤵PID:752
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&14⤵PID:1616
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&14⤵PID:3144
-
C:\Windows\system32\taskkill.exetaskkill /f /im Ida64.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&14⤵PID:1440
-
C:\Windows\system32\taskkill.exetaskkill /f /im OllyDbg.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&14⤵PID:3064
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg64.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&14⤵PID:3696
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg32.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:4860
-
-
-
C:\ProgramData\SecurityHealthSystray.exe"C:\ProgramData\SecurityHealthSystray.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD508cc682417292fe4a048e5e466b13a1b
SHA1bd2feb697b639327de8eb67e6ac4957df8f3b7b3
SHA25638182c14bb826f357f1348df2affc840df3173054347b4883b0e3ae18402448c
SHA512f5c5c49e9d652bdc3d89912880c2eefa80cce28fc3ecb7e3bb267969bd6dc79a5c8e218c307c869df2e63c50bb97a37813e47c6a87170c83a1bae4f9bf538267
-
Filesize
548KB
MD56c08ba3b33673a7979167a6138a42544
SHA1a065fa0d2d8d1d82dbb6cd1e1b3c8be2a09c74d1
SHA256bed8d059ed403a6ff674aee820d5b3b0df4e072d1e86d09af8b55703abe31038
SHA51269ea45439d6a965758fe8e8bbe05f6d247231e72d98e7396a77f6958636b968eb43742dcc4a1be4a9f05e67a0b2c526c16e27b7e7c64ce8fafed7531d180c03e
-
Filesize
654B
MD511c6e74f0561678d2cf7fc075a6cc00c
SHA1535ee79ba978554abcb98c566235805e7ea18490
SHA256d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63
SHA51232c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0
-
Filesize
675KB
MD5ed22ee40a790a5153cd085e9dbd7391f
SHA1f4e4d5723b2402c9a1c972b2c40ce2311d10171e
SHA256a4504aa12e11ba425fca91830b3bed4834dd44109a01d5ff8c75e110a482fcc5
SHA5125cb1b65f1c7861f89f09fb35b0a3ce189f4ded76c952b60f4a5fdb7f6abca3268fa768a6576ff9f09d106e6ed0ba4391ddd9aabc684b7e3101f0fd64cdbcd5a3
-
Filesize
70KB
MD5ae702d156a2ee10aa0df4e5a365654a1
SHA1bad92787d53da53bda2f180f770752e679ba80c0
SHA25607cc6cdf43c5bfa4c7dc097c3abc5a6fcdfbbda8a52db993ed9f397c4a8af716
SHA5123a6daf7b4ee44cfd6c9a15575f9b4bbc54f22192c72ff4380a2fb3f33227645a4c25cd5cfb15445b446d6485c6bfb38fdf6adf94f121b719ed373e2b5c9a0d9c