Analysis Overview
SHA256
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
Threat Level: Known bad
The file e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.bin was found to be: Known bad.
Malicious Activity Summary
Maze
Deletes shadow copies
Drops startup file
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-10-20 12:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-20 12:36
Reported
2023-10-20 12:39
Platform
win7-20230831-en
Max time kernel
136s
Max time network
149s
Command Line
Signatures
Maze
Deletes shadow copies
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8kwiyi.dat | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"
C:\Windows\system32\wbem\wmic.exe
"C:\ckqr\cjam\..\..\Windows\qtbu\uujx\..\..\system32\strly\nbncv\..\..\wbem\s\xlhg\naqs\..\..\..\wmic.exe" shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\h\qmqpp\..\..\Windows\pe\sxar\..\..\system32\qtu\..\wbem\wjov\ldgjq\fbp\..\..\..\wmic.exe" shadowcopy delete
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
Network
| Country | Destination | Domain | Proto |
| TR | 92.63.8.47:80 | tcp | |
| TR | 92.63.8.47:80 | tcp | |
| TR | 92.63.8.47:80 | tcp | |
| TR | 92.63.8.47:80 | tcp | |
| TR | 92.63.8.47:80 | tcp | |
| TR | 92.63.8.47:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| RU | 92.63.194.20:80 | 92.63.194.20 | tcp |
| RU | 92.63.194.20:80 | 92.63.194.20 | tcp |
| SI | 92.63.17.245:80 | 92.63.17.245 | tcp |
| PL | 92.63.32.55:80 | tcp |
Files
memory/3016-0-0x0000000000070000-0x00000000000C9000-memory.dmp
memory/3016-1-0x00000000004C0000-0x000000000051B000-memory.dmp
memory/3016-6-0x00000000004C0000-0x000000000051B000-memory.dmp
memory/3016-10-0x00000000004C0000-0x000000000051B000-memory.dmp
C:\MSOCache\DECRYPT-FILES.html
| MD5 | dd0412f3c4d9b88e4124b192d7a7407d |
| SHA1 | 877173e17b9b2d38fbac0613ad6c00c758a27360 |
| SHA256 | 9c24bd6b3b4634958ea532d364ab33f008998c61966f9f82d448459cdfc0cf8b |
| SHA512 | 9dbb8efeb10229069fcaa15981d64ad536f8387dc3ca41aa48cc9f4c71ef5dd5d38e6830158b78c28a9c8f81e482336aa192f262e2488335ba087a323c8eb35c |
memory/3016-14-0x00000000004C0000-0x000000000051B000-memory.dmp
memory/3016-1718-0x00000000004C0000-0x000000000051B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_7126A68A5EA84868B8AADBA6E08C0FA2.dat
| MD5 | e5dc13d5977fb9536837d0b5b5f93806 |
| SHA1 | d4319921ef7229c53617120ec9c663668499e650 |
| SHA256 | 88e70419d9a4d9fc0b27ed1eb1790c5ce61ea579063842275e9f0a70b8ff2f16 |
| SHA512 | 336ac984b05304b28bb45e4f7e2ad0674e996e520751a33c4939fc901be3f4f3c0cb3ac98744d9c907c774672e8ceb45c1853fba6d61aa163dba1f2321fd927f |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-20 12:36
Reported
2023-10-20 12:39
Platform
win10v2004-20230915-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
Maze
Deletes shadow copies
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\70lbe4ww5.dat | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.html | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\70lbe4ww5.dat | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4000 wrote to memory of 2248 | N/A | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 4000 wrote to memory of 2248 | N/A | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 4000 wrote to memory of 4784 | N/A | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 4000 wrote to memory of 4784 | N/A | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | C:\Windows\system32\wbem\wmic.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"
C:\Windows\system32\wbem\wmic.exe
"C:\m\..\Windows\rbav\..\system32\jkne\pkfnh\..\..\wbem\x\..\wmic.exe" shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\d\nmh\..\..\Windows\h\ps\..\..\system32\dm\..\wbem\bepxh\..\wmic.exe" shadowcopy delete
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x31c
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| TR | 92.63.8.47:80 | tcp | |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.177.238.8.in-addr.arpa | udp |
| TR | 92.63.8.47:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| TR | 92.63.8.47:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| TR | 92.63.8.47:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| RU | 92.63.194.20:80 | 92.63.194.20 | tcp |
| RU | 92.63.194.20:80 | 92.63.194.20 | tcp |
| SI | 92.63.17.245:80 | 92.63.17.245 | tcp |
| PL | 92.63.32.55:80 | tcp | |
| US | 8.8.8.8:53 | 245.17.63.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.194.63.92.in-addr.arpa | udp |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| PL | 92.63.32.55:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
memory/4000-0-0x0000000002580000-0x00000000025D9000-memory.dmp
memory/4000-1-0x0000000002720000-0x000000000277B000-memory.dmp
memory/4000-6-0x0000000002720000-0x000000000277B000-memory.dmp
memory/4000-10-0x0000000002720000-0x000000000277B000-memory.dmp
memory/4000-11-0x0000000002720000-0x000000000277B000-memory.dmp
memory/4000-15-0x0000000002720000-0x000000000277B000-memory.dmp
C:\Users\DECRYPT-FILES.html
| MD5 | 9ac945060a34aabaf34f52cc99f39fbe |
| SHA1 | 4755036a0c3e0ceb548347c25003319cb0efe2b0 |
| SHA256 | 0f9932c83170b1b0a83187c4dc045732266399dcc4af91e5a0b9a29336326ccc |
| SHA512 | a0ec64d369ed739c430b8fc885fadb6527770f73635dc0503e91066537c9e38b232e9d8b17f138a8b05b277d25e1a9a478faaf986061b2b5ce7ecf9dab552187 |
memory/4000-4894-0x0000000002720000-0x000000000277B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_3F9B692A79854BADB08EF88D58242CD0.dat
| MD5 | e138584e3df90dbe6f55232c0fff93d0 |
| SHA1 | a72c63341a493113f415bab492c816cf2006e03d |
| SHA256 | 242082ac6ebc54dabdcfc8874bf431d5984aa1594f5ff156dbb0a310204bb1d3 |
| SHA512 | cfb651198fa967617fa1d9a0a5b8362d85adb13b14825a24a160bde1e80a59d271134c692e6139f5ba8704265fc62ba26cde36d1b36813fce7838083aea68e2c |