Malware Analysis Report

2024-09-22 14:33

Sample ID 230108-pmlleagh71
Target 3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363
SHA256 3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363
Tags
maze ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363

Threat Level: Known bad

The file 3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363 was found to be: Known bad.

Malicious Activity Summary

maze ransomware spyware stealer trojan

Maze

Deletes shadow copies

Modifies extensions of user files

Drops startup file

Reads user/profile data of web browsers

Sets desktop wallpaper using registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-01-08 12:26

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-08 12:26

Reported

2023-01-08 12:29

Platform

win10v2004-20220901-en

Max time kernel

123s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe"

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\EditRequest.png => C:\Users\Admin\Pictures\EditRequest.png.LQ4CxCB C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File renamed C:\Users\Admin\Pictures\GroupMeasure.crw => C:\Users\Admin\Pictures\GroupMeasure.crw.LQ4CxCB C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File renamed C:\Users\Admin\Pictures\JoinSave.raw => C:\Users\Admin\Pictures\JoinSave.raw.LQ4CxCB C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File opened for modification C:\Users\Admin\Pictures\MountClear.tiff C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File renamed C:\Users\Admin\Pictures\RenameUnlock.crw => C:\Users\Admin\Pictures\RenameUnlock.crw.AAVCo C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File renamed C:\Users\Admin\Pictures\BackupSplit.tif => C:\Users\Admin\Pictures\BackupSplit.tif.wWdUwtK C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File renamed C:\Users\Admin\Pictures\CompleteEnable.raw => C:\Users\Admin\Pictures\CompleteEnable.raw.wWdUwtK C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File renamed C:\Users\Admin\Pictures\DisconnectEdit.tiff => C:\Users\Admin\Pictures\DisconnectEdit.tiff.LQ4CxCB C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File opened for modification C:\Users\Admin\Pictures\DisconnectEdit.tiff C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File renamed C:\Users\Admin\Pictures\MountClear.tiff => C:\Users\Admin\Pictures\MountClear.tiff.LQ4CxCB C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m6imsakp.dat C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.html C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\m6imsakp.dat C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe

"C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe"

C:\Windows\system32\wbem\wmic.exe

"C:\v\yu\f\..\..\..\Windows\ajm\ipmuh\hqtts\..\..\..\system32\v\..\wbem\gcdb\kyfur\xqm\..\..\..\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\jkjce\cqig\o\..\..\..\Windows\gylte\rv\..\..\system32\fs\sulk\fcxh\..\..\..\wbem\s\kfhhs\..\..\wmic.exe" shadowcopy delete

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2ec 0x150

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 20.42.73.24:443 tcp
N/A 204.79.197.200:443 tcp
N/A 178.79.208.1:80 tcp
N/A 104.80.225.205:443 tcp

Files

memory/2404-132-0x0000000002350000-0x00000000023A9000-memory.dmp

memory/2404-136-0x0000000002350000-0x00000000023A9000-memory.dmp

memory/2404-137-0x0000000002350000-0x00000000023A9000-memory.dmp

memory/1100-138-0x0000000000000000-mapping.dmp

memory/4788-139-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-08 12:26

Reported

2023-01-08 12:29

Platform

win7-20220812-en

Max time kernel

141s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe"

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\CheckpointShow.tiff C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File renamed C:\Users\Admin\Pictures\CheckpointShow.tiff => C:\Users\Admin\Pictures\CheckpointShow.tiff.XWsp C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File renamed C:\Users\Admin\Pictures\ExitStart.tif => C:\Users\Admin\Pictures\ExitStart.tif.Alkem C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File opened for modification C:\Users\Admin\Pictures\RestartSubmit.tiff C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File renamed C:\Users\Admin\Pictures\RestartSubmit.tiff => C:\Users\Admin\Pictures\RestartSubmit.tiff.Bk9kL C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File renamed C:\Users\Admin\Pictures\SkipOut.tif => C:\Users\Admin\Pictures\SkipOut.tif.FStaKG C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File renamed C:\Users\Admin\Pictures\FormatRevoke.raw => C:\Users\Admin\Pictures\FormatRevoke.raw.Alkem C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File renamed C:\Users\Admin\Pictures\InitializeClear.crw => C:\Users\Admin\Pictures\InitializeClear.crw.Bk9kL C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File renamed C:\Users\Admin\Pictures\JoinShow.crw => C:\Users\Admin\Pictures\JoinShow.crw.Bk9kL C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File renamed C:\Users\Admin\Pictures\PublishExit.crw => C:\Users\Admin\Pictures\PublishExit.crw.Bk9kL C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1rwav.dat C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe

"C:\Users\Admin\AppData\Local\Temp\3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363.exe"

C:\Windows\system32\wbem\wmic.exe

"C:\ny\..\Windows\gnji\gb\dwg\..\..\..\system32\xmgr\jgsut\lwanx\..\..\..\wbem\v\..\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\bhxnt\..\Windows\aency\mrs\nt\..\..\..\system32\mrcd\..\wbem\xyq\eu\mysw\..\..\..\wmic.exe" shadowcopy delete

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x540

Network

N/A

Files

memory/1900-54-0x0000000075A81000-0x0000000075A83000-memory.dmp

memory/1900-55-0x00000000001E0000-0x0000000000239000-memory.dmp

memory/1900-59-0x00000000001E0000-0x0000000000239000-memory.dmp

memory/1900-60-0x00000000001E0000-0x0000000000239000-memory.dmp

memory/1760-61-0x0000000000000000-mapping.dmp

memory/1900-62-0x00000000001E0000-0x0000000000239000-memory.dmp

memory/456-63-0x0000000000000000-mapping.dmp