Analysis Overview
SHA256
4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
Threat Level: Known bad
The file 4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe was found to be: Known bad.
Malicious Activity Summary
Maze
Deletes shadow copies
Modifies extensions of user files
Drops startup file
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
Drops file in Program Files directory
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-10 12:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-10 12:55
Reported
2023-02-10 13:05
Platform
win7-20220901-en
Max time kernel
466s
Max time network
424s
Command Line
Signatures
Maze
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\OpenAssert.tiff | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OpenAssert.tiff => C:\Users\Admin\Pictures\OpenAssert.tiff.mBv8 | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CompareCopy.tiff | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompareCopy.tiff => C:\Users\Admin\Pictures\CompareCopy.tiff.fxHL | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6d070cc32835808b.tmp | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1972 wrote to memory of 1604 | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1972 wrote to memory of 1604 | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1972 wrote to memory of 1604 | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1972 wrote to memory of 1604 | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | C:\Windows\system32\wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
"C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\dxby\l\y\..\..\..\Windows\runri\g\ufc\..\..\..\system32\xq\jshcn\nhsm\..\..\..\wbem\i\unuvo\..\..\wmic.exe" shadowcopy delete
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x55c
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xcc
Network
| Country | Destination | Domain | Proto |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.32:80 | 91.218.114.32 | tcp |
| RU | 91.218.114.32:80 | 91.218.114.32 | tcp |
| RU | 91.218.114.32:80 | 91.218.114.32 | tcp |
| RU | 91.218.114.32:80 | 91.218.114.32 | tcp |
| RU | 91.218.114.37:80 | 91.218.114.37 | tcp |
| RU | 91.218.114.37:80 | 91.218.114.37 | tcp |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp |
Files
memory/1972-54-0x0000000075D71000-0x0000000075D73000-memory.dmp
memory/1972-55-0x0000000000220000-0x000000000027E000-memory.dmp
memory/1972-59-0x0000000000220000-0x000000000027E000-memory.dmp
memory/1972-61-0x0000000000221000-0x000000000025A000-memory.dmp
memory/1604-62-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-10 12:55
Reported
2023-02-10 13:08
Platform
win10v2004-20221111-en
Max time kernel
726s
Max time network
754s
Command Line
Signatures
Maze
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\OpenLimit.tiff => C:\Users\Admin\Pictures\OpenLimit.tiff.OiIX | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\AddConvertFrom.tif => C:\Users\Admin\Pictures\AddConvertFrom.tif.YkhuiMx | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CopyClose.tif => C:\Users\Admin\Pictures\CopyClose.tif.LjEcWqQ | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DenyOut.png => C:\Users\Admin\Pictures\DenyOut.png.LjEcWqQ | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\OpenLimit.tiff | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\TestSave.raw => C:\Users\Admin\Pictures\TestSave.raw.XAg0Z | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DisableAdd.png => C:\Users\Admin\Pictures\DisableAdd.png.LjEcWqQ | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RequestUnregister.crw => C:\Users\Admin\Pictures\RequestUnregister.crw.XAg0Z | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResetJoin.png => C:\Users\Admin\Pictures\ResetJoin.png.XAg0Z | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SendDebug.tif => C:\Users\Admin\Pictures\SendDebug.tif.XAg0Z | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6bed0cae4b2c7b91.tmp | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6bed0cae4b2c7b91.tmp | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3664 wrote to memory of 3092 | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 3664 wrote to memory of 3092 | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | C:\Windows\system32\wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
"C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\mo\aeja\mj\..\..\..\Windows\dmw\onp\..\..\system32\uhs\..\wbem\ma\..\wmic.exe" shadowcopy delete
Network
| Country | Destination | Domain | Proto |
| IE | 20.50.80.209:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| US | 72.21.81.240:80 | tcp | |
| US | 72.21.81.240:80 | tcp | |
| US | 72.21.81.240:80 | tcp | |
| US | 8.247.210.254:80 | tcp | |
| US | 8.8.8.8:53 | 164.2.77.40.in-addr.arpa | udp |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.32:80 | 91.218.114.32 | tcp |
| RU | 91.218.114.32:80 | 91.218.114.32 | tcp |
| RU | 91.218.114.37:80 | 91.218.114.37 | tcp |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.77:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| RU | 91.218.114.79:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp |
Files
memory/3664-132-0x00000000006E0000-0x000000000073E000-memory.dmp
memory/3664-136-0x00000000006E0000-0x000000000073E000-memory.dmp
memory/3664-138-0x00000000006E1000-0x000000000071A000-memory.dmp
memory/3092-139-0x0000000000000000-mapping.dmp