Overview
overview
9Static
static
3gpg.exe
windows7-x64
1gpg.exe
windows10-2004-x64
1gpgconf.exe
windows7-x64
1gpgconf.exe
windows10-2004-x64
1libassuan-0.dll
windows7-x64
3libassuan-0.dll
windows10-2004-x64
3libgcrypt-20.dll
windows7-x64
1libgcrypt-20.dll
windows10-2004-x64
3libgpg-error-0.dll
windows7-x64
1libgpg-error-0.dll
windows10-2004-x64
1libnpth-0.dll
windows7-x64
1libnpth-0.dll
windows10-2004-x64
1libsqlite3-0.dll
windows7-x64
3libsqlite3-0.dll
windows10-2004-x64
3trkop.vbs
windows7-x64
9trkop.vbs
windows10-2004-x64
9zapa.bat
windows7-x64
7zapa.bat
windows10-2004-x64
1zlib1.dll
windows7-x64
3zlib1.dll
windows10-2004-x64
3Analysis
-
max time kernel
136s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 16:07
Static task
static1
Behavioral task
behavioral1
Sample
gpg.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
gpg.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
gpgconf.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
gpgconf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
libassuan-0.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
libassuan-0.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
libgcrypt-20.dll
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
libgcrypt-20.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
libgpg-error-0.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
libgpg-error-0.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
libnpth-0.dll
Resource
win7-20240419-en
Behavioral task
behavioral12
Sample
libnpth-0.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
libsqlite3-0.dll
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
libsqlite3-0.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
trkop.vbs
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
trkop.vbs
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
zapa.bat
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
zapa.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
zlib1.dll
Resource
win7-20240419-en
Behavioral task
behavioral20
Sample
zlib1.dll
Resource
win10v2004-20240508-en
General
-
Target
trkop.vbs
-
Size
4KB
-
MD5
e709fe17f4e7f99292b8685ddd0a0a7c
-
SHA1
f7f05bd5b2b4c134577a375f4d3d29fda36fc146
-
SHA256
101f060edf89f4362ee6657acc110f88d3140090fb676620049a2407b503b837
-
SHA512
58a3df44e7123d84abe59be6af06587845157f3e75132c0c55b891cd911c77ab0fa958eb1c395c17d34fec02fc07af93b57aa3188cb4bb9f66a251a9b23b9647
-
SSDEEP
96:UgWBAP2GmFP5AI2IYAvk4yZxIe2H132Tes2X2nj2jW32p2eR2p52pvc272nRgu/b:UAPbmFPrKlZxLk3uesceKso2eRo5okGY
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation WScript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
gpg.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1916 gpg.exe 4112 msedge.exe 4112 msedge.exe 2424 msedge.exe 2424 msedge.exe 5008 identity_helper.exe 5008 identity_helper.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
WMIC.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2244 WMIC.exe Token: SeSecurityPrivilege 2244 WMIC.exe Token: SeTakeOwnershipPrivilege 2244 WMIC.exe Token: SeLoadDriverPrivilege 2244 WMIC.exe Token: SeSystemProfilePrivilege 2244 WMIC.exe Token: SeSystemtimePrivilege 2244 WMIC.exe Token: SeProfSingleProcessPrivilege 2244 WMIC.exe Token: SeIncBasePriorityPrivilege 2244 WMIC.exe Token: SeCreatePagefilePrivilege 2244 WMIC.exe Token: SeBackupPrivilege 2244 WMIC.exe Token: SeRestorePrivilege 2244 WMIC.exe Token: SeShutdownPrivilege 2244 WMIC.exe Token: SeDebugPrivilege 2244 WMIC.exe Token: SeSystemEnvironmentPrivilege 2244 WMIC.exe Token: SeRemoteShutdownPrivilege 2244 WMIC.exe Token: SeUndockPrivilege 2244 WMIC.exe Token: SeManageVolumePrivilege 2244 WMIC.exe Token: 33 2244 WMIC.exe Token: 34 2244 WMIC.exe Token: 35 2244 WMIC.exe Token: 36 2244 WMIC.exe Token: SeIncreaseQuotaPrivilege 2244 WMIC.exe Token: SeSecurityPrivilege 2244 WMIC.exe Token: SeTakeOwnershipPrivilege 2244 WMIC.exe Token: SeLoadDriverPrivilege 2244 WMIC.exe Token: SeSystemProfilePrivilege 2244 WMIC.exe Token: SeSystemtimePrivilege 2244 WMIC.exe Token: SeProfSingleProcessPrivilege 2244 WMIC.exe Token: SeIncBasePriorityPrivilege 2244 WMIC.exe Token: SeCreatePagefilePrivilege 2244 WMIC.exe Token: SeBackupPrivilege 2244 WMIC.exe Token: SeRestorePrivilege 2244 WMIC.exe Token: SeShutdownPrivilege 2244 WMIC.exe Token: SeDebugPrivilege 2244 WMIC.exe Token: SeSystemEnvironmentPrivilege 2244 WMIC.exe Token: SeRemoteShutdownPrivilege 2244 WMIC.exe Token: SeUndockPrivilege 2244 WMIC.exe Token: SeManageVolumePrivilege 2244 WMIC.exe Token: 33 2244 WMIC.exe Token: 34 2244 WMIC.exe Token: 35 2244 WMIC.exe Token: 36 2244 WMIC.exe Token: SeBackupPrivilege 2336 vssvc.exe Token: SeRestorePrivilege 2336 vssvc.exe Token: SeAuditPrivilege 2336 vssvc.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WScript.exemsedge.exedescription pid process target process PID 1168 wrote to memory of 2084 1168 WScript.exe gpg.exe PID 1168 wrote to memory of 2084 1168 WScript.exe gpg.exe PID 1168 wrote to memory of 2084 1168 WScript.exe gpg.exe PID 1168 wrote to memory of 1916 1168 WScript.exe gpg.exe PID 1168 wrote to memory of 1916 1168 WScript.exe gpg.exe PID 1168 wrote to memory of 1916 1168 WScript.exe gpg.exe PID 1168 wrote to memory of 2424 1168 WScript.exe msedge.exe PID 1168 wrote to memory of 2424 1168 WScript.exe msedge.exe PID 2424 wrote to memory of 2076 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 2076 2424 msedge.exe msedge.exe PID 1168 wrote to memory of 2244 1168 WScript.exe WMIC.exe PID 1168 wrote to memory of 2244 1168 WScript.exe WMIC.exe PID 1168 wrote to memory of 1680 1168 WScript.exe cmd.exe PID 1168 wrote to memory of 1680 1168 WScript.exe cmd.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3616 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 4112 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 4112 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 936 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 936 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 936 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 936 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 936 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 936 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 936 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 936 2424 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trkop.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gpg.exe"C:\Users\Admin\AppData\Local\Temp\gpg.exe" --import C:\Users\Admin\AppData\Local\Temp\yin1abtn.cq124aqq2⤵
-
C:\Users\Admin\AppData\Local\Temp\gpg.exe"C:\Users\Admin\AppData\Local\Temp\gpg.exe" -r y1688 --yes -q --no-verbose --trust-model always -o C:\Users\Admin\AppData\Local\Temp\BLKLOCK.KEY -e C:\Users\Admin\AppData\Local\Temp\rizot.doc2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\blklock_Help_decrypt.html2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcda1246f8,0x7ffcda124708,0x7ffcda1247183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1260 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zapa.bat" "2⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58b167567021ccb1a9fdf073fa9112ef0
SHA13baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA25626764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5537815e7cc5c694912ac0308147852e4
SHA12ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA51263969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD52fb8885a9316a7d166a045b43d3be4d2
SHA112a18acff816136f55162afed56aa6d31816a587
SHA2560a411d62a61b3ac4c13469b92785df80804c7d404562c1ea55c822daa76b2572
SHA5121c92cfa921cfa0eb958e23fcd9aacdf48fbd09a40c014e3639f9dda618fcccaaefd5e8a9d5943a39cb6e8959f92ce6da7cbe17867d41d0eba6e6a5ee62684a63
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f36b5da70377f38a8919b55878d01dab
SHA131129310f4812fd05a4b4d7eac0c75d5f8119cb2
SHA256de74a7c320701081b267874922ab5a252ee1c5d3bc3f0e16acf1c0174dde742b
SHA512daac89cb20bea06c9b77eeeec388e0bb894753d84034ad41bc4baa4374ea38e8ab61477e637ac5d58131527200c17032dc11e770c998dd714d911c96bb77387f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD58b40bf937a57b503a29982bd2277a648
SHA15b3cdcd39228cb79459e3a79f6e45b0f804c6847
SHA2567d38f28c8500ef63ea04e1ac724f7808f95e9e8ece17b4a6346ff9d983d43ed7
SHA5127e2481104d18ffe314a9f461a0d0e729aaae27bbb7ba2fd87f0a08d783b45d609b05b312b086b28bd8ea8d37dfc6385f379c9f3a3b30aef4d18f17571a03ae96
-
C:\Users\Admin\AppData\Local\Temp\BLKLOCK.KEYFilesize
363B
MD54b1632fad71f6a4405303bd0beb040e3
SHA19b3dd96ff0b53db4088489d51fbb33763e4bbd65
SHA25616d2cd5c3bd66ac1e56c950c4ecf6a82bea582adb2a58c2e296d1e891814f071
SHA5120d6620caa59a1cc61ed97a820130f4021979cc6147e29f603ccef4edd171fed43a13ddb5e578624ff559da43d4de88dfb5479a8665bb4822043c1b3e73ab5f1b
-
C:\Users\Admin\AppData\Local\Temp\blklock_Help_decrypt.htmlFilesize
719B
MD567a3375773562e7e470c820536880720
SHA16ab9afcc84754315ff874fd5718f003ec2d8d23f
SHA256315bbddec308682ed567e96410ec6a78065ba5a986ea082b95d0091001e75026
SHA5120e611ae7f0395fc55c522b6625afe1b43d74dbe4bb43d0524f5c43b305ac1741dcae3dc711e88ec8e91ecfc5a5050459a34a030e1dfb56f971a5e68e8d033ae9
-
C:\Users\Admin\AppData\Local\Temp\blklock_Help_decrypt.txtFilesize
351B
MD5cd193d25475714fabab7a9ca80856383
SHA19dd655e367e63c26403822f410fb68ff11a2d435
SHA2560fd72f68474bc84ce018a32cffc177b576001871295c2833528162626c402e4b
SHA5126c49b36d848e805fd4ae88b477d0400d07b9850a51baf28830520c0918c2d16137be19891efa8d965c0d57ef26b189b30751d0281c98dae27883ad1b4055a2a5
-
C:\Users\Admin\AppData\Local\Temp\rizot.docFilesize
22B
MD58b02833af3c49d5c43dadeae182f5771
SHA1c1d2fab3dc3818cf9f9850bca733460f6cd7cbfa
SHA256a3d861d614c1fc049cbc9b1f52274533418a4bb0f684c9167226eaac533ee1bb
SHA512779f59c8eb2586acf32423fb2eab8ea0209ed5065a5bfdefb8d6f9b9557519fb38f2ae0810d76958a7a9d6116ea41d8e379d99a7616bd31953638ccfbb396010
-
C:\Users\Admin\AppData\Local\Temp\rizot.docFilesize
87B
MD51e7c8aef2705d09c6d2d3064f4b3441b
SHA1966bbf4f2c13066a6d01da31c4734e062944f65f
SHA256c1ebe509542f5a3027feafe813474fb2ea8c6d8247c84554e7d8542337168c03
SHA5126ee16ede6b39d6f54fc6eb9cbbf0a0c1c8e60eb8ab559d3e70b01a97924ac4b61fa5c18a979315d6d35a3f07eb0e8668449962f3bb51123bff34bb781a9b0b27
-
C:\Users\Admin\AppData\Roaming\gnupg\pubring.kbxFilesize
1KB
MD5134bf38d9f66826ee77cf93c010e4850
SHA190b464ebfdb01e79711528fec179472e2cf72f0f
SHA25648bbd0f4199ed901ae9f713556898831e6f0bfb52865d52ba58f977fdabafccd
SHA5120cf9324e0d1c4da6d72af978244b81dc43f1c663bfb0fd8eb458b5d1a62d7bcff78e25670f19ba648542232f564b8a30e2162942abc662034fd627e8a7cdd750
-
C:\Users\Admin\AppData\Roaming\gnupg\trustdb.gpgFilesize
1KB
MD57b997637aa9488dc83c16d78bb85fe6d
SHA1be2ad69c1e33ea073ebf049a52c369c75b349634
SHA2566130b0bbe9ccf41d2a0dbf72173c6c2b2ed4e9afa37fe3f811a1e221ba32282e
SHA512e749ae40d3a9092ee53eacee4226056f7f7a433f36cc34b86e7d1a1aa172f4f7a9ef9a2864cb298b46e3f7e46f3b6efb2e974e8befbf57cfe7dd67551fb8baa7
-
\??\pipe\LOCAL\crashpad_2424_LSDIBJCAWUOOHKUNMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1916-25-0x0000000063080000-0x00000000630A0000-memory.dmpFilesize
128KB
-
memory/1916-22-0x00000000655C0000-0x00000000656BA000-memory.dmpFilesize
1000KB
-
memory/1916-24-0x0000000066580000-0x000000006664C000-memory.dmpFilesize
816KB
-
memory/1916-20-0x0000000000400000-0x0000000000519000-memory.dmpFilesize
1.1MB
-
memory/1916-21-0x0000000065A80000-0x0000000065A99000-memory.dmpFilesize
100KB
-
memory/1916-23-0x000000006B480000-0x000000006B4AF000-memory.dmpFilesize
188KB
-
memory/2084-9-0x0000000000400000-0x0000000000519000-memory.dmpFilesize
1.1MB
-
memory/2084-10-0x0000000065A80000-0x0000000065A99000-memory.dmpFilesize
100KB
-
memory/2084-14-0x00000000655C0000-0x00000000656BA000-memory.dmpFilesize
1000KB
-
memory/2084-11-0x000000006B480000-0x000000006B4AF000-memory.dmpFilesize
188KB
-
memory/2084-12-0x0000000066580000-0x000000006664C000-memory.dmpFilesize
816KB
-
memory/2084-13-0x0000000063080000-0x00000000630A0000-memory.dmpFilesize
128KB