Malware Analysis Report

2024-09-22 14:41

Sample ID 220216-265jvaeca3
Target 0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40
SHA256 0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40
Tags
upx maze ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40

Threat Level: Known bad

The file 0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40 was found to be: Known bad.

Malicious Activity Summary

upx maze ransomware spyware stealer trojan

Maze

UPX packed file

Modifies extensions of user files

Drops startup file

Reads user/profile data of web browsers

Drops file in Windows directory

Drops file in Program Files directory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-02-16 23:12

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-16 23:12

Reported

2022-02-16 23:21

Platform

win7-en-20211208

Max time kernel

166s

Max time network

188s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe"

Signatures

Maze

trojan ransomware maze

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ConvertToAssert.png => C:\Users\Admin\Pictures\ConvertToAssert.png.uTua2A C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File renamed C:\Users\Admin\Pictures\OpenGrant.crw => C:\Users\Admin\Pictures\OpenGrant.crw.0QTGYRo C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c610cc5f09d409.tmp C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\MoveWrite.MOD C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\OpenEnable.wm C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\PingShow.mht C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\ConfirmJoin.clr C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\ConvertWrite.M2V C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\ProtectUninstall.M2TS C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\ResumeUse.potx C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\SkipUnprotect.potx C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6c610cc5f09d409.tmp C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\RepairHide.wax C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6c610cc5f09d409.tmp C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files (x86)\6c610cc5f09d409.tmp C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\AssertFormat.ex_ C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\DisableConvert.mhtml C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\ProtectCopy.ico C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\PushInitialize.xsl C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\RemoveSkip.ogg C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\SaveRemove.txt C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\EnterSet.aifc C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\PushReset.emz C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\ShowWait.clr C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\InitializeEdit.mpeg3 C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\SelectEdit.mpe C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\BackupAssert.wpl C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\ConvertFromStep.pot C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\DisconnectCopy.htm C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\DismountUnpublish.csv C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\FormatWatch.temp C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\UndoCompare.odt C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\DenyImport.odt C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\FormatEdit.tiff C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\PingUnblock.mp3 C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\SelectLock.clr C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\SplitDisable.pdf C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\SplitProtect.cr2 C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\6c610cc5f09d409.tmp C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\DebugMove.vsd C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\FormatClose.xla C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\GetPop.js C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\PushTrace.pptm C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6c610cc5f09d409.tmp C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe

"C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
RU 91.218.114.4:80 tcp
RU 91.218.114.4:80 tcp
RU 91.218.114.4:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp

Files

memory/624-55-0x0000000076731000-0x0000000076733000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-16 23:12

Reported

2022-02-16 23:21

Platform

win10v2004-en-20220112

Max time kernel

168s

Max time network

198s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe"

Signatures

Maze

trojan ransomware maze

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b850caf9d78cc27.tmp C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6b850caf9d78cc27.tmp C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files (x86)\6b850caf9d78cc27.tmp C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\6b850caf9d78cc27.tmp C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\CloseUndo.eps C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\OptimizePublish.asf C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\RegisterUpdate.001 C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\UnpublishRequest.xls C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\UpdateBackup.m4a C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\BlockPop.DVR C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\ImportUnregister.ods C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\ResumeEnter.html C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\SplitUnregister.emf C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\RevokeLimit.3gpp C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\GetRevoke.midi C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\MeasureResolve.vsdm C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A
File opened for modification C:\Program Files\MoveImport.gif C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4104" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4252" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3916" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "16.668000" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4304" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.250072" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132897035612722797" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.555133" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" C:\Windows\System32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe

"C:\Users\Admin\AppData\Local\Temp\0d0a6f525dac3a44e345f33700160dc5bf32ac95c84ca1871836f6857db63c40.exe"

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

Network

Country Destination Domain Proto
US 8.238.20.254:80 tcp
US 8.238.20.254:80 tcp
NL 104.80.224.57:443 tcp
RU 91.218.114.4:80 tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
IE 20.54.24.231:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
RU 91.218.114.4:80 tcp
US 13.107.21.200:443 tcp
RU 91.218.114.11:80 tcp

Files

N/A