Analysis
-
max time kernel
103s -
max time network
40s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
29-03-2021 23:50
Static task
static1
Behavioral task
behavioral1
Sample
wlnlogon.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
wlnlogon.exe
Resource
win10v20201028
General
-
Target
wlnlogon.exe
-
Size
34KB
-
MD5
c626eb5448aafaeab9a3a207cca1f44c
-
SHA1
b2197768b2f44c97e45a82ae9bfbbbb2a89c7cfa
-
SHA256
4939669c7aa568cd8e714bb26b512cecb7e6477fef8053e3fcfdf81741033593
-
SHA512
455c947fb9fe7dffc79a31e54d781b863bdb47acbf9ad7b4ab619177388a6bf7a01237cad945a88ee9e3121d74c01e74c851d3da89b4d3de5de4efb4389847e6
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 588 wbadmin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 64 IoCs
Processes:
wlnlogon.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152600.WMF wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GreenTea.css wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\HAMMER.WAV wlnlogon.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png wlnlogon.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png wlnlogon.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OCT.CHM wlnlogon.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\triangle.png wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02233_.WMF wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297707.WMF wlnlogon.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_hov.png wlnlogon.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management-agent.jar wlnlogon.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Regina wlnlogon.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\DumontDUrville wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199465.WMF wlnlogon.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif wlnlogon.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\MSB1FRAR.ITS wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00444_.WMF wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00046_.WMF wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115844.GIF wlnlogon.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dushanbe wlnlogon.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.config wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00261_.WMF wlnlogon.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217302.WMF wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00159_.WMF wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115840.GIF wlnlogon.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg wlnlogon.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBUI6.CHM wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01040_.WMF wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATHEDITOR_COL.HXC wlnlogon.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\LICENSE wlnlogon.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\build note.txt wlnlogon.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.jpg wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\PersonalContact.ico wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00346_.WMF wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174315.WMF wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212299.WMF wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.INF wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\ResourceInternal.zip wlnlogon.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf.[C5F19142].[metasload2021@protonmail.com].id2020 wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00076_.WMF wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_ON.GIF wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00428_.WMF wlnlogon.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml wlnlogon.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png wlnlogon.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar wlnlogon.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\Proof.XML wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD06200_.WMF wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00478_.WMF wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0233018.WMF wlnlogon.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\US_export_policy.jar wlnlogon.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_disabled.png wlnlogon.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB.[C5F19142].[metasload2021@protonmail.com].id2020 wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00452_.WMF wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Aspect.thmx wlnlogon.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png wlnlogon.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yakutat wlnlogon.exe File opened for modification C:\Program Files\Windows Media Player\en-US\WMPDMC.exe.mui wlnlogon.exe File opened for modification C:\Program Files\Windows Journal\Templates\Genko_1.jtp wlnlogon.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif.[C5F19142].[metasload2021@protonmail.com].id2020 wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232171.WMF wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01066_.WMF wlnlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0233070.WMF wlnlogon.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png wlnlogon.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1224 vssadmin.exe -
Processes:
wlnlogon.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 wlnlogon.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e wlnlogon.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e wlnlogon.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
wlnlogon.exepid process 644 wlnlogon.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exeAUDIODG.EXEdescription pid process Token: SeBackupPrivilege 1440 vssvc.exe Token: SeRestorePrivilege 1440 vssvc.exe Token: SeAuditPrivilege 1440 vssvc.exe Token: SeBackupPrivilege 1836 wbengine.exe Token: SeRestorePrivilege 1836 wbengine.exe Token: SeSecurityPrivilege 1836 wbengine.exe Token: SeIncreaseQuotaPrivilege 1712 WMIC.exe Token: SeSecurityPrivilege 1712 WMIC.exe Token: SeTakeOwnershipPrivilege 1712 WMIC.exe Token: SeLoadDriverPrivilege 1712 WMIC.exe Token: SeSystemProfilePrivilege 1712 WMIC.exe Token: SeSystemtimePrivilege 1712 WMIC.exe Token: SeProfSingleProcessPrivilege 1712 WMIC.exe Token: SeIncBasePriorityPrivilege 1712 WMIC.exe Token: SeCreatePagefilePrivilege 1712 WMIC.exe Token: SeBackupPrivilege 1712 WMIC.exe Token: SeRestorePrivilege 1712 WMIC.exe Token: SeShutdownPrivilege 1712 WMIC.exe Token: SeDebugPrivilege 1712 WMIC.exe Token: SeSystemEnvironmentPrivilege 1712 WMIC.exe Token: SeRemoteShutdownPrivilege 1712 WMIC.exe Token: SeUndockPrivilege 1712 WMIC.exe Token: SeManageVolumePrivilege 1712 WMIC.exe Token: 33 1712 WMIC.exe Token: 34 1712 WMIC.exe Token: 35 1712 WMIC.exe Token: SeIncreaseQuotaPrivilege 1712 WMIC.exe Token: SeSecurityPrivilege 1712 WMIC.exe Token: SeTakeOwnershipPrivilege 1712 WMIC.exe Token: SeLoadDriverPrivilege 1712 WMIC.exe Token: SeSystemProfilePrivilege 1712 WMIC.exe Token: SeSystemtimePrivilege 1712 WMIC.exe Token: SeProfSingleProcessPrivilege 1712 WMIC.exe Token: SeIncBasePriorityPrivilege 1712 WMIC.exe Token: SeCreatePagefilePrivilege 1712 WMIC.exe Token: SeBackupPrivilege 1712 WMIC.exe Token: SeRestorePrivilege 1712 WMIC.exe Token: SeShutdownPrivilege 1712 WMIC.exe Token: SeDebugPrivilege 1712 WMIC.exe Token: SeSystemEnvironmentPrivilege 1712 WMIC.exe Token: SeRemoteShutdownPrivilege 1712 WMIC.exe Token: SeUndockPrivilege 1712 WMIC.exe Token: SeManageVolumePrivilege 1712 WMIC.exe Token: 33 1712 WMIC.exe Token: 34 1712 WMIC.exe Token: 35 1712 WMIC.exe Token: 33 780 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 780 AUDIODG.EXE Token: 33 780 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 780 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
NOTEPAD.EXEpid process 1088 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
wlnlogon.execmd.exedescription pid process target process PID 644 wrote to memory of 1720 644 wlnlogon.exe cmd.exe PID 644 wrote to memory of 1720 644 wlnlogon.exe cmd.exe PID 644 wrote to memory of 1720 644 wlnlogon.exe cmd.exe PID 644 wrote to memory of 1720 644 wlnlogon.exe cmd.exe PID 1720 wrote to memory of 1224 1720 cmd.exe vssadmin.exe PID 1720 wrote to memory of 1224 1720 cmd.exe vssadmin.exe PID 1720 wrote to memory of 1224 1720 cmd.exe vssadmin.exe PID 1720 wrote to memory of 588 1720 cmd.exe wbadmin.exe PID 1720 wrote to memory of 588 1720 cmd.exe wbadmin.exe PID 1720 wrote to memory of 588 1720 cmd.exe wbadmin.exe PID 1720 wrote to memory of 1712 1720 cmd.exe WMIC.exe PID 1720 wrote to memory of 1712 1720 cmd.exe WMIC.exe PID 1720 wrote to memory of 1712 1720 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\wlnlogon.exe"C:\Users\Admin\AppData\Local\Temp\wlnlogon.exe"1⤵
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wlnlogon.exe"C:\Users\Admin\AppData\Local\Temp\wlnlogon.exe" n6442⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2241⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\build note.txt1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\build note.txtMD5
1dc152e66947d7a81697a24f02407a9e
SHA14d95efc3d9403c6843bfce333a08a0451caec07c
SHA256948e0a2ad1fabf16e73ffa6525a5b5bbaf0a6630a3f3d1d20b7f474fd3b803c9
SHA512452adac16abb4e1f8292f0b2de0d8fe46f6d0c487f3c78466706b3e6781806df59acd4219ef96656d4dfe24102472befab1971db07244f89d186d314eb170f9b
-
memory/288-9-0x000007FEF6350000-0x000007FEF65CA000-memory.dmpFilesize
2.5MB
-
memory/588-6-0x0000000000000000-mapping.dmp
-
memory/588-7-0x000007FEFBCD1000-0x000007FEFBCD3000-memory.dmpFilesize
8KB
-
memory/644-2-0x00000000765E1000-0x00000000765E3000-memory.dmpFilesize
8KB
-
memory/1224-5-0x0000000000000000-mapping.dmp
-
memory/1712-8-0x0000000000000000-mapping.dmp
-
memory/1720-4-0x0000000000000000-mapping.dmp