Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
17-11-2022 22:41
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.FileRepMalware.13968.19609.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.FileRepMalware.13968.19609.exe
Resource
win10v2004-20221111-en
General
-
Target
SecuriteInfo.com.FileRepMalware.13968.19609.exe
-
Size
847KB
-
MD5
586d6732d8c8d4045b05276f2a0cbf53
-
SHA1
e58187c1708079e9487310f8c4b34722e4271f35
-
SHA256
ad534790700a9daa5fda6452692590e5e8c86d6a86aec0110822d0b54a6c21d9
-
SHA512
edfb4e63b497793678977aad364e5c85919981fe9a93d74d64b4339b3596fd44d8c8b943d0b3bfcc95689e9476ea86fdff0822fd7de77870ef6430176b97792b
-
SSDEEP
24576:NmSo/l/4X2EM3GdNsFiKZqzYvqi/NmZrRV/tJ:NcaXNM2PBKZAsAZrRVVJ
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
gamigin0612@tutanota.com
mammon0503@protonmail.com
pecunia0318@goat.si
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 1760 wbadmin.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
SecuriteInfo.com.FileRepMalware.13968.19609.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\SyncPush.tiff SecuriteInfo.com.FileRepMalware.13968.19609.exe -
Loads dropped DLL 2 IoCs
Processes:
SecuriteInfo.com.FileRepMalware.13968.19609.exeSecuriteInfo.com.FileRepMalware.13968.19609.exepid process 948 SecuriteInfo.com.FileRepMalware.13968.19609.exe 768 SecuriteInfo.com.FileRepMalware.13968.19609.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
SecuriteInfo.com.FileRepMalware.13968.19609.exeSecuriteInfo.com.FileRepMalware.13968.19609.exedescription pid process target process PID 948 set thread context of 1348 948 SecuriteInfo.com.FileRepMalware.13968.19609.exe SecuriteInfo.com.FileRepMalware.13968.19609.exe PID 768 set thread context of 892 768 SecuriteInfo.com.FileRepMalware.13968.19609.exe SecuriteInfo.com.FileRepMalware.13968.19609.exe -
Drops file in Program Files directory 64 IoCs
Processes:
SecuriteInfo.com.FileRepMalware.13968.19609.exedescription ioc process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\JOURNAL.INF SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04134_.WMF SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Austin.thmx SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DELIMDOS.FAE SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE11.POC SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXT SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\PREVIEW.GIF SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\Java\jre7\lib\net.properties SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5 SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-execution.jar SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ADD.GIF SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\DVD Maker\ja-JP\DVDMaker.exe.mui SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png SecuriteInfo.com.FileRepMalware.13968.19609.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\readme-warning.txt SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\icon.png SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\currency.js SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\weather.css SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01218_.WMF SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_CN.jar SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\Windows Media Player\de-DE\wmplayer.exe.mui SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions.css SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\gadget.xml SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227419.JPG SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Urban.thmx SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBCALSO.POC SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Denver SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\PREVIEW.GIF SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\THMBNAIL.PNG SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00402_.WMF SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\DEFAULT.XSL SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AD98.POC SecuriteInfo.com.FileRepMalware.13968.19609.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\readme-warning.txt SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME52.CSS SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\PersonalContact.ico SecuriteInfo.com.FileRepMalware.13968.19609.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\readme-warning.txt SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00057_.WMF SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.HXS SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LOGO98.POC SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Maldives SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\picturePuzzle.js SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03464_.WMF SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\menu_arrow.gif SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBARBLL.XML SecuriteInfo.com.FileRepMalware.13968.19609.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv SecuriteInfo.com.FileRepMalware.13968.19609.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1176 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
SecuriteInfo.com.FileRepMalware.13968.19609.exepid process 1348 SecuriteInfo.com.FileRepMalware.13968.19609.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
SecuriteInfo.com.FileRepMalware.13968.19609.exeSecuriteInfo.com.FileRepMalware.13968.19609.exepid process 948 SecuriteInfo.com.FileRepMalware.13968.19609.exe 768 SecuriteInfo.com.FileRepMalware.13968.19609.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 868 vssvc.exe Token: SeRestorePrivilege 868 vssvc.exe Token: SeAuditPrivilege 868 vssvc.exe Token: SeBackupPrivilege 976 wbengine.exe Token: SeRestorePrivilege 976 wbengine.exe Token: SeSecurityPrivilege 976 wbengine.exe Token: SeIncreaseQuotaPrivilege 1144 WMIC.exe Token: SeSecurityPrivilege 1144 WMIC.exe Token: SeTakeOwnershipPrivilege 1144 WMIC.exe Token: SeLoadDriverPrivilege 1144 WMIC.exe Token: SeSystemProfilePrivilege 1144 WMIC.exe Token: SeSystemtimePrivilege 1144 WMIC.exe Token: SeProfSingleProcessPrivilege 1144 WMIC.exe Token: SeIncBasePriorityPrivilege 1144 WMIC.exe Token: SeCreatePagefilePrivilege 1144 WMIC.exe Token: SeBackupPrivilege 1144 WMIC.exe Token: SeRestorePrivilege 1144 WMIC.exe Token: SeShutdownPrivilege 1144 WMIC.exe Token: SeDebugPrivilege 1144 WMIC.exe Token: SeSystemEnvironmentPrivilege 1144 WMIC.exe Token: SeRemoteShutdownPrivilege 1144 WMIC.exe Token: SeUndockPrivilege 1144 WMIC.exe Token: SeManageVolumePrivilege 1144 WMIC.exe Token: 33 1144 WMIC.exe Token: 34 1144 WMIC.exe Token: 35 1144 WMIC.exe Token: SeIncreaseQuotaPrivilege 1144 WMIC.exe Token: SeSecurityPrivilege 1144 WMIC.exe Token: SeTakeOwnershipPrivilege 1144 WMIC.exe Token: SeLoadDriverPrivilege 1144 WMIC.exe Token: SeSystemProfilePrivilege 1144 WMIC.exe Token: SeSystemtimePrivilege 1144 WMIC.exe Token: SeProfSingleProcessPrivilege 1144 WMIC.exe Token: SeIncBasePriorityPrivilege 1144 WMIC.exe Token: SeCreatePagefilePrivilege 1144 WMIC.exe Token: SeBackupPrivilege 1144 WMIC.exe Token: SeRestorePrivilege 1144 WMIC.exe Token: SeShutdownPrivilege 1144 WMIC.exe Token: SeDebugPrivilege 1144 WMIC.exe Token: SeSystemEnvironmentPrivilege 1144 WMIC.exe Token: SeRemoteShutdownPrivilege 1144 WMIC.exe Token: SeUndockPrivilege 1144 WMIC.exe Token: SeManageVolumePrivilege 1144 WMIC.exe Token: 33 1144 WMIC.exe Token: 34 1144 WMIC.exe Token: 35 1144 WMIC.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
SecuriteInfo.com.FileRepMalware.13968.19609.exeSecuriteInfo.com.FileRepMalware.13968.19609.execmd.exeSecuriteInfo.com.FileRepMalware.13968.19609.exedescription pid process target process PID 948 wrote to memory of 1348 948 SecuriteInfo.com.FileRepMalware.13968.19609.exe SecuriteInfo.com.FileRepMalware.13968.19609.exe PID 948 wrote to memory of 1348 948 SecuriteInfo.com.FileRepMalware.13968.19609.exe SecuriteInfo.com.FileRepMalware.13968.19609.exe PID 948 wrote to memory of 1348 948 SecuriteInfo.com.FileRepMalware.13968.19609.exe SecuriteInfo.com.FileRepMalware.13968.19609.exe PID 948 wrote to memory of 1348 948 SecuriteInfo.com.FileRepMalware.13968.19609.exe SecuriteInfo.com.FileRepMalware.13968.19609.exe PID 948 wrote to memory of 1348 948 SecuriteInfo.com.FileRepMalware.13968.19609.exe SecuriteInfo.com.FileRepMalware.13968.19609.exe PID 1348 wrote to memory of 1344 1348 SecuriteInfo.com.FileRepMalware.13968.19609.exe cmd.exe PID 1348 wrote to memory of 1344 1348 SecuriteInfo.com.FileRepMalware.13968.19609.exe cmd.exe PID 1348 wrote to memory of 1344 1348 SecuriteInfo.com.FileRepMalware.13968.19609.exe cmd.exe PID 1348 wrote to memory of 1344 1348 SecuriteInfo.com.FileRepMalware.13968.19609.exe cmd.exe PID 1344 wrote to memory of 1176 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1176 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1176 1344 cmd.exe vssadmin.exe PID 1344 wrote to memory of 1760 1344 cmd.exe wbadmin.exe PID 1344 wrote to memory of 1760 1344 cmd.exe wbadmin.exe PID 1344 wrote to memory of 1760 1344 cmd.exe wbadmin.exe PID 1344 wrote to memory of 1144 1344 cmd.exe WMIC.exe PID 1344 wrote to memory of 1144 1344 cmd.exe WMIC.exe PID 1344 wrote to memory of 1144 1344 cmd.exe WMIC.exe PID 768 wrote to memory of 892 768 SecuriteInfo.com.FileRepMalware.13968.19609.exe SecuriteInfo.com.FileRepMalware.13968.19609.exe PID 768 wrote to memory of 892 768 SecuriteInfo.com.FileRepMalware.13968.19609.exe SecuriteInfo.com.FileRepMalware.13968.19609.exe PID 768 wrote to memory of 892 768 SecuriteInfo.com.FileRepMalware.13968.19609.exe SecuriteInfo.com.FileRepMalware.13968.19609.exe PID 768 wrote to memory of 892 768 SecuriteInfo.com.FileRepMalware.13968.19609.exe SecuriteInfo.com.FileRepMalware.13968.19609.exe PID 768 wrote to memory of 892 768 SecuriteInfo.com.FileRepMalware.13968.19609.exe SecuriteInfo.com.FileRepMalware.13968.19609.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe"2⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe" n13483⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe" n13484⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\681096313Filesize
645KB
MD5470cc9935c68fd64655ccb51d5d0d731
SHA1cba611dbd1f784c0bffa64720181327004b23653
SHA256fcc3cf71d0be88e485e9c3e19adc64438b038562643aac3e52aa98e82280d8b6
SHA512f363c352bc41d81fcbb1095b0e0c784fcf23053f70156d5495db065871d99df87ce1dac40a0d5740fdac5608f538c6647d1e8053ae3bd6152c618e18665e2ee6
-
C:\Users\Admin\AppData\Roaming\681096313Filesize
645KB
MD54a999bd39cc217ed041f49e90d432c68
SHA1aa0938f6e95ee2cac1f78f7873c44b8a1996ce20
SHA256fddb8492d52b3f9648663504c720193aae307410fe95bb94e0c3c9830a028046
SHA512d4add5ad28b92cf467262549ad1f49eac8c48c31e95cea476a2c7629b15df90d7bac8e8de8047007889bafd482e1aa3d8fce7748cd70a3a6f29ca43b77d1a114
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnkFilesize
1KB
MD565a0c3ca4b1252e724a2ff56314fa7e8
SHA1c59fbabbce2e3b43afbe5bcc1680dd1505518288
SHA256731206b9ed7a0f2cadaeea4aa3bc95bb71d16efd114cfe877e6dd41ad9a94704
SHA5121cef85d4521d8e4cc78e924cc930a1a5b97aa6fdbeb05be3e15f2012586fefe2b074ccf0ef3f31472a4948f7771b6235ac0fb72174c04e17811a035668522b9a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnkFilesize
1KB
MD5e2b37db383f97fbd165990be837ef2ad
SHA16192572e4a3ca510c3c37ea4794c537c9ace7e11
SHA2569c5d69ee91e4e1f43b1e3b84eeb36c0b33e14e7e7181f332bf7b6e4171c4465e
SHA51273804092fe20350738492993a8e38fd785c213213b25f8854200170a8637a5f5cfa95c3d2d2d905421d531bd75e01016e6428894dd6e117ac9af549ace186505
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnkMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnkFilesize
1KB
MD5922e70bcfdbce1a981ae13996f62941d
SHA1f6a934fd31ea3ade31921c36fc10210cb5adfee6
SHA256bf5bea75601ce7ed776337d4bd7fc751b3a04f424332476eb6aaf337f960d496
SHA5127be89aa770d98d916ece9aa60fe7f4e1d12d09c2b28187f048184e358402e244391adc435fef119c34c17a00ec08b5963519d48c3cfdcbd3b45e951ece5a7f0b
-
\Users\Admin\AppData\Local\Temp\nsd12.tmp\System.dllFilesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nst1306.tmp\System.dllFilesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/892-72-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/892-69-0x0000000000405680-mapping.dmp
-
memory/892-71-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/948-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/1144-68-0x0000000000000000-mapping.dmp
-
memory/1176-64-0x0000000000000000-mapping.dmp
-
memory/1344-59-0x0000000000000000-mapping.dmp
-
memory/1348-73-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1348-58-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1348-56-0x0000000000405680-mapping.dmp
-
memory/1348-77-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1760-66-0x0000000000000000-mapping.dmp
-
memory/1760-67-0x000007FEFBAF1000-0x000007FEFBAF3000-memory.dmpFilesize
8KB