Malware Analysis Report

2024-09-22 14:40

Sample ID 221002-xcswqsfdh7
Target 6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251.dll
SHA256 6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251
Tags
maze ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251

Threat Level: Known bad

The file 6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251.dll was found to be: Known bad.

Malicious Activity Summary

maze ransomware trojan

Maze

Deletes shadow copies

Modifies extensions of user files

Drops startup file

Sets desktop wallpaper using registry

Drops file in Program Files directory

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-10-02 18:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-02 18:42

Reported

2022-10-02 18:51

Platform

win7-20220812-en

Max time kernel

506s

Max time network

425s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251.dll

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\StartWatch.png => C:\Users\Admin\Pictures\StartWatch.png.4i7ZJi C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\DisconnectRevoke.crw => C:\Users\Admin\Pictures\DisconnectRevoke.crw.acEv C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\DismountLock.png => C:\Users\Admin\Pictures\DismountLock.png.acEv C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\ImportPing.crw => C:\Users\Admin\Pictures\ImportPing.crw.qHOgr C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\LockTrace.tif => C:\Users\Admin\Pictures\LockTrace.tif.qHOgr C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\RenameSend.png => C:\Users\Admin\Pictures\RenameSend.png.qHOgr C:\Windows\SysWOW64\regsvr32.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c550cb4cb94778c.tmp C:\Windows\SysWOW64\regsvr32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\111.bmp" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\RestoreWatch.tiff C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\SelectRevoke.m3u C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\6c550cb4cb94778c.tmp C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\CompleteShow.asf C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\RestartClose.ico C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\RestoreUnpublish.midi C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\DisableHide.ocx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\JoinReset.search-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\NewWatch.3g2 C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\ReceiveSearch.xps C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\6c550cb4cb94778c.tmp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\CheckpointApprove.zip C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6c550cb4cb94778c.tmp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\RevokeGrant.mpg C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6c550cb4cb94778c.tmp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\InvokeConvert.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\OutTest.rmi C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\ReadDisable.pps C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6c550cb4cb94778c.tmp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\MeasureDisconnect.scf C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\RenameResume.jpeg C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251.dll

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\wbem\wmic.exe

"C:\i\..\Windows\e\..\system32\f\..\wbem\hett\syief\..\..\wmic.exe" shadowcopy delete

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\DECRYPT-FILES.txt

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x548

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0xc4

Network

N/A

Files

memory/1480-54-0x000007FEFC0D1000-0x000007FEFC0D3000-memory.dmp

memory/1008-55-0x0000000000000000-mapping.dmp

memory/1008-56-0x0000000076261000-0x0000000076263000-memory.dmp

memory/1008-57-0x0000000001E40000-0x0000000001E9E000-memory.dmp

memory/1008-61-0x0000000001E40000-0x0000000001E9E000-memory.dmp

memory/1008-62-0x0000000001E40000-0x0000000001E9E000-memory.dmp

memory/804-64-0x0000000000000000-mapping.dmp

memory/1008-65-0x0000000001E40000-0x0000000001E9E000-memory.dmp

C:\Users\Public\Desktop\DECRYPT-FILES.txt

MD5 a630b2dbce1d8c7da8fbbae5b2805823
SHA1 2b0a1e9ef2f210caf4168e378e3e09911632f776
SHA256 804a386348dd4de3a64712f35c9a505dac8d471bea95ecfaf7688b02def1750b
SHA512 b0e1bd71973bfb685435f33295e49e09b3efe9010eb9a1e843fc32df2ef3553a24d49dfa289807958eb977d51a51d9f8d6782659e7aebed47ee734c2c0e030ec

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-02 18:42

Reported

2022-10-02 18:45

Platform

win10v2004-20220812-en

Max time kernel

127s

Max time network

151s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251.dll

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\InstallResume.png => C:\Users\Admin\Pictures\InstallResume.png.ugvzV C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\OptimizeExpand.png => C:\Users\Admin\Pictures\OptimizeExpand.png.oIGWyz C:\Windows\SysWOW64\regsvr32.exe N/A
File renamed C:\Users\Admin\Pictures\UninstallUse.tif => C:\Users\Admin\Pictures\UninstallUse.tif.MqcJ5T C:\Windows\SysWOW64\regsvr32.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b370c9f9ae8a9b6.tmp C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6b370c9f9ae8a9b6.tmp C:\Windows\SysWOW64\regsvr32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\111.bmp" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\CompressUnpublish.ram C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\DisableConvert.temp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\SyncExport.3gpp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\UninstallWrite.xps C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\AssertEdit.temp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\CompareUninstall.ram C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\RestoreSet.AAC C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\SelectUse.sql C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\WaitOptimize.sql C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\6b370c9f9ae8a9b6.tmp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\CheckpointPop.png C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\6b370c9f9ae8a9b6.tmp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\StopApprove.temp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\UndoPush.mpe C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5036 wrote to memory of 4596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5036 wrote to memory of 4596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5036 wrote to memory of 4596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4596 wrote to memory of 2636 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wbem\wmic.exe
PID 4596 wrote to memory of 2636 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wbem\wmic.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\6713403015feb8959093f5d007bcbdbb3be9eec96dd62f517786b67506067251.dll

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\o\tg\..\..\Windows\t\f\vfv\..\..\..\system32\w\qo\..\..\wbem\q\..\wmic.exe" shadowcopy delete

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x410 0x404

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
LV 185.82.126.147:80 tcp
US 20.42.72.131:443 tcp
US 8.253.135.241:80 tcp
US 204.79.197.200:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.253.135.241:80 tcp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 8.8.8.8:53 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa udp

Files

memory/4596-132-0x0000000000000000-mapping.dmp

memory/4596-133-0x00000000026F0000-0x000000000274E000-memory.dmp

memory/4596-137-0x00000000026F0000-0x000000000274E000-memory.dmp

memory/4596-138-0x00000000026F0000-0x000000000274E000-memory.dmp

memory/4596-139-0x00000000026F0000-0x000000000274E000-memory.dmp

memory/2636-140-0x0000000000000000-mapping.dmp