Analysis Overview
SHA256
6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251
Threat Level: Known bad
The file 6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251.dll was found to be: Known bad.
Malicious Activity Summary
Maze
Deletes shadow copies
Modifies extensions of user files
Drops startup file
Sets desktop wallpaper using registry
Drops file in Program Files directory
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-02 18:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-02 18:42
Reported
2022-10-02 18:51
Platform
win7-20220812-en
Max time kernel
506s
Max time network
425s
Command Line
Signatures
Maze
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\StartWatch.png => C:\Users\Admin\Pictures\StartWatch.png.4i7ZJi | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DisconnectRevoke.crw => C:\Users\Admin\Pictures\DisconnectRevoke.crw.acEv | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DismountLock.png => C:\Users\Admin\Pictures\DismountLock.png.acEv | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ImportPing.crw => C:\Users\Admin\Pictures\ImportPing.crw.qHOgr | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\LockTrace.tif => C:\Users\Admin\Pictures\LockTrace.tif.qHOgr | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RenameSend.png => C:\Users\Admin\Pictures\RenameSend.png.qHOgr | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c550cb4cb94778c.tmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\111.bmp" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\RestoreWatch.tiff | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\SelectRevoke.m3u | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Program Files (x86)\DECRYPT-FILES.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\6c550cb4cb94778c.tmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\CompleteShow.asf | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\RestartClose.ico | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\RestoreUnpublish.midi | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\DisableHide.ocx | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\JoinReset.search-ms | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\NewWatch.3g2 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\ReceiveSearch.xps | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Program Files\DECRYPT-FILES.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\6c550cb4cb94778c.tmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\CheckpointApprove.zip | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6c550cb4cb94778c.tmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\RevokeGrant.mpg | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6c550cb4cb94778c.tmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\InvokeConvert.ini | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\OutTest.rmi | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\ReadDisable.pps | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6c550cb4cb94778c.tmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\MeasureDisconnect.scf | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\RenameResume.jpeg | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251.dll
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\wbem\wmic.exe
"C:\i\..\Windows\e\..\system32\f\..\wbem\hett\syief\..\..\wmic.exe" shadowcopy delete
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\DECRYPT-FILES.txt
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x548
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc4
Network
Files
memory/1480-54-0x000007FEFC0D1000-0x000007FEFC0D3000-memory.dmp
memory/1008-55-0x0000000000000000-mapping.dmp
memory/1008-56-0x0000000076261000-0x0000000076263000-memory.dmp
memory/1008-57-0x0000000001E40000-0x0000000001E9E000-memory.dmp
memory/1008-61-0x0000000001E40000-0x0000000001E9E000-memory.dmp
memory/1008-62-0x0000000001E40000-0x0000000001E9E000-memory.dmp
memory/804-64-0x0000000000000000-mapping.dmp
memory/1008-65-0x0000000001E40000-0x0000000001E9E000-memory.dmp
C:\Users\Public\Desktop\DECRYPT-FILES.txt
| MD5 | a630b2dbce1d8c7da8fbbae5b2805823 |
| SHA1 | 2b0a1e9ef2f210caf4168e378e3e09911632f776 |
| SHA256 | 804a386348dd4de3a64712f35c9a505dac8d471bea95ecfaf7688b02def1750b |
| SHA512 | b0e1bd71973bfb685435f33295e49e09b3efe9010eb9a1e843fc32df2ef3553a24d49dfa289807958eb977d51a51d9f8d6782659e7aebed47ee734c2c0e030ec |
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-02 18:42
Reported
2022-10-02 18:45
Platform
win10v2004-20220812-en
Max time kernel
127s
Max time network
151s
Command Line
Signatures
Maze
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\InstallResume.png => C:\Users\Admin\Pictures\InstallResume.png.ugvzV | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OptimizeExpand.png => C:\Users\Admin\Pictures\OptimizeExpand.png.oIGWyz | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UninstallUse.tif => C:\Users\Admin\Pictures\UninstallUse.tif.MqcJ5T | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b370c9f9ae8a9b6.tmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6b370c9f9ae8a9b6.tmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\111.bmp" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\CompressUnpublish.ram | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\DisableConvert.temp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\SyncExport.3gpp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\UninstallWrite.xps | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Program Files (x86)\DECRYPT-FILES.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Program Files\DECRYPT-FILES.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\AssertEdit.temp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\CompareUninstall.ram | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\RestoreSet.AAC | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\SelectUse.sql | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\WaitOptimize.sql | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\6b370c9f9ae8a9b6.tmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\CheckpointPop.png | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\6b370c9f9ae8a9b6.tmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\StopApprove.temp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\UndoPush.mpe | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5036 wrote to memory of 4596 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5036 wrote to memory of 4596 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5036 wrote to memory of 4596 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4596 wrote to memory of 2636 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 4596 wrote to memory of 2636 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\system32\wbem\wmic.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251.dll
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\o\tg\..\..\Windows\t\f\vfv\..\..\..\system32\w\qo\..\..\wbem\q\..\wmic.exe" shadowcopy delete
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x410 0x404
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| LV | 185.82.126.147:80 | tcp | |
| US | 20.42.72.131:443 | tcp | |
| US | 8.253.135.241:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.253.135.241:80 | tcp | |
| US | 8.8.8.8:53 | 164.2.77.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
Files
memory/4596-132-0x0000000000000000-mapping.dmp
memory/4596-133-0x00000000026F0000-0x000000000274E000-memory.dmp
memory/4596-137-0x00000000026F0000-0x000000000274E000-memory.dmp
memory/4596-138-0x00000000026F0000-0x000000000274E000-memory.dmp
memory/4596-139-0x00000000026F0000-0x000000000274E000-memory.dmp
memory/2636-140-0x0000000000000000-mapping.dmp