b9078c0d7f22c68e45f19bc5c9de1919f6a07f4cf85ccb8aa391d675e8e687f1

Analysis

max time kernel
193s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 23:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b9078c0d7f22c68e45f19bc5c9de1919f6a07f4cf85ccb8aa391d675e8e687f1.exe
Size

3.0MB
MD5

c2304d10fca46da64b7e4c91295f2d22
SHA1

92e66bacb7129f672d34b5f855b2a5b2721be2ee
SHA256

b9078c0d7f22c68e45f19bc5c9de1919f6a07f4cf85ccb8aa391d675e8e687f1
SHA512

f6db7a31fd6ab2fdeb5e1f4f99b945c749ae33f154da45f4f1cd1cf9705271374d10fffc46f88890b41e395560a5244843f443ff7fed279a732c4dd56a05e9e8
SSDEEP

49152:BdaaxdGvpwh7+UCSQTbHKlYtSFIZzg4ismy4keHFg5J7Daae3a6p+mTQYzcizg:/jxkBwha8Q/HKlYtQGvoA5J7DP3/YIb

Score

10^/10

evasion spyware stealer upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	4ksqk4592KS.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	4ksqk4592KS.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	4ksqk4592KS.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\4ksqk4592KS.exe = "C:\\Users\\Admin\\AppData\\Roaming\\4ksqk4592KS.exe:*:enabled:@shell32.dll,-1"	4ksqk4592KS.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\ETC\HOSTS	4ksqk4592KS.exe

Executes dropped EXE 2 IoCs

pid	Process
2604	3ksqk4592KS.exe
4984	4ksqk4592KS.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000300000002264b-138.dat	upx
behavioral2/files/0x000300000002264b-139.dat	upx
behavioral2/memory/4984-140-0x0000000000400000-0x000000000118C000-memory.dmp	upx
behavioral2/memory/4984-141-0x0000000000400000-0x000000000118C000-memory.dmp	upx
behavioral2/memory/4984-142-0x0000000000400000-0x000000000118C000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	b9078c0d7f22c68e45f19bc5c9de1919f6a07f4cf85ccb8aa391d675e8e687f1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
80	whatismyip.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3680	4984	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe
4984	4ksqk4592KS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4984	4ksqk4592KS.exe
Token: SeDebugPrivilege	2604	3ksqk4592KS.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4984	4ksqk4592KS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 2604	4160	b9078c0d7f22c68e45f19bc5c9de1919f6a07f4cf85ccb8aa391d675e8e687f1.exe	86
PID 4160 wrote to memory of 2604	4160	b9078c0d7f22c68e45f19bc5c9de1919f6a07f4cf85ccb8aa391d675e8e687f1.exe	86
PID 4160 wrote to memory of 4984	4160	b9078c0d7f22c68e45f19bc5c9de1919f6a07f4cf85ccb8aa391d675e8e687f1.exe	87
PID 4160 wrote to memory of 4984	4160	b9078c0d7f22c68e45f19bc5c9de1919f6a07f4cf85ccb8aa391d675e8e687f1.exe	87
PID 4160 wrote to memory of 4984	4160	b9078c0d7f22c68e45f19bc5c9de1919f6a07f4cf85ccb8aa391d675e8e687f1.exe	87
PID 4984 wrote to memory of 580	4984	4ksqk4592KS.exe	75
PID 4984 wrote to memory of 580	4984	4ksqk4592KS.exe	75
PID 4984 wrote to memory of 580	4984	4ksqk4592KS.exe	75
PID 4984 wrote to memory of 580	4984	4ksqk4592KS.exe	75
PID 4984 wrote to memory of 580	4984	4ksqk4592KS.exe	75
PID 4984 wrote to memory of 580	4984	4ksqk4592KS.exe	75
PID 4984 wrote to memory of 668	4984	4ksqk4592KS.exe	73
PID 4984 wrote to memory of 668	4984	4ksqk4592KS.exe	73
PID 4984 wrote to memory of 668	4984	4ksqk4592KS.exe	73
PID 4984 wrote to memory of 668	4984	4ksqk4592KS.exe	73
PID 4984 wrote to memory of 668	4984	4ksqk4592KS.exe	73
PID 4984 wrote to memory of 668	4984	4ksqk4592KS.exe	73
PID 4984 wrote to memory of 768	4984	4ksqk4592KS.exe	72
PID 4984 wrote to memory of 768	4984	4ksqk4592KS.exe	72
PID 4984 wrote to memory of 768	4984	4ksqk4592KS.exe	72
PID 4984 wrote to memory of 768	4984	4ksqk4592KS.exe	72
PID 4984 wrote to memory of 768	4984	4ksqk4592KS.exe	72
PID 4984 wrote to memory of 768	4984	4ksqk4592KS.exe	72
PID 4984 wrote to memory of 776	4984	4ksqk4592KS.exe	71
PID 4984 wrote to memory of 776	4984	4ksqk4592KS.exe	71
PID 4984 wrote to memory of 776	4984	4ksqk4592KS.exe	71
PID 4984 wrote to memory of 776	4984	4ksqk4592KS.exe	71
PID 4984 wrote to memory of 776	4984	4ksqk4592KS.exe	71
PID 4984 wrote to memory of 776	4984	4ksqk4592KS.exe	71
PID 4984 wrote to memory of 784	4984	4ksqk4592KS.exe	70
PID 4984 wrote to memory of 784	4984	4ksqk4592KS.exe	70
PID 4984 wrote to memory of 784	4984	4ksqk4592KS.exe	70
PID 4984 wrote to memory of 784	4984	4ksqk4592KS.exe	70
PID 4984 wrote to memory of 784	4984	4ksqk4592KS.exe	70
PID 4984 wrote to memory of 784	4984	4ksqk4592KS.exe	70
PID 4984 wrote to memory of 892	4984	4ksqk4592KS.exe	69
PID 4984 wrote to memory of 892	4984	4ksqk4592KS.exe	69
PID 4984 wrote to memory of 892	4984	4ksqk4592KS.exe	69
PID 4984 wrote to memory of 892	4984	4ksqk4592KS.exe	69
PID 4984 wrote to memory of 892	4984	4ksqk4592KS.exe	69
PID 4984 wrote to memory of 892	4984	4ksqk4592KS.exe	69
PID 4984 wrote to memory of 948	4984	4ksqk4592KS.exe	68
PID 4984 wrote to memory of 948	4984	4ksqk4592KS.exe	68
PID 4984 wrote to memory of 948	4984	4ksqk4592KS.exe	68
PID 4984 wrote to memory of 948	4984	4ksqk4592KS.exe	68
PID 4984 wrote to memory of 948	4984	4ksqk4592KS.exe	68
PID 4984 wrote to memory of 948	4984	4ksqk4592KS.exe	68
PID 4984 wrote to memory of 1020	4984	4ksqk4592KS.exe	67
PID 4984 wrote to memory of 1020	4984	4ksqk4592KS.exe	67
PID 4984 wrote to memory of 1020	4984	4ksqk4592KS.exe	67
PID 4984 wrote to memory of 1020	4984	4ksqk4592KS.exe	67
PID 4984 wrote to memory of 1020	4984	4ksqk4592KS.exe	67
PID 4984 wrote to memory of 1020	4984	4ksqk4592KS.exe	67
PID 4984 wrote to memory of 408	4984	4ksqk4592KS.exe	1
PID 4984 wrote to memory of 408	4984	4ksqk4592KS.exe	1
PID 4984 wrote to memory of 408	4984	4ksqk4592KS.exe	1
PID 4984 wrote to memory of 408	4984	4ksqk4592KS.exe	1
PID 4984 wrote to memory of 408	4984	4ksqk4592KS.exe	1
PID 4984 wrote to memory of 408	4984	4ksqk4592KS.exe	1
PID 4984 wrote to memory of 712	4984	4ksqk4592KS.exe	66
PID 4984 wrote to memory of 712	4984	4ksqk4592KS.exe	66
PID 4984 wrote to memory of 712	4984	4ksqk4592KS.exe	66
PID 4984 wrote to memory of 712	4984	4ksqk4592KS.exe	66
PID 4984 wrote to memory of 712	4984	4ksqk4592KS.exe	66

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2528

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3456

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4080

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:3684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4984 -ip 4984
  2⤵
  PID:3416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:1128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2028

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:2360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1140

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4428

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3724

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3540

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3380

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3092

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:752
- C:\Users\Admin\AppData\Local\Temp\b9078c0d7f22c68e45f19bc5c9de1919f6a07f4cf85ccb8aa391d675e8e687f1.exe
  "C:\Users\Admin\AppData\Local\Temp\b9078c0d7f22c68e45f19bc5c9de1919f6a07f4cf85ccb8aa391d675e8e687f1.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Users\Admin\AppData\Roaming\3ksqk4592KS.exe
    "C:\Users\Admin\AppData\Roaming\3ksqk4592KS.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- - C:\Users\Admin\AppData\Roaming\4ksqk4592KS.exe
    "C:\Users\Admin\AppData\Roaming\4ksqk4592KS.exe"
    3⤵
    - Modifies firewall policy service
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 744
      4⤵
      Program crash
      PID:3680

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2808

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2500

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2132

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:712

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:784
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:4180

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:768

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:1932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3ksqk4592KS.exe

Filesize
413KB

MD5
23ecc65f9108e60ccd765c1e3347ed83

SHA1
5145b5f65264875f5d441893cdbc8bf370a3565b

SHA256
0b883655a060c3ae39db71e79e90c5be71148a5c3dc30c9fb9ca770951942b6a

SHA512
3e5960b9f0dd5e07d71a092a468afa94b025c1e90f086c59e0d807adbe2b5b44d3dc99be83709895b85e17fade38c63cdf837097e30ae668088ad12a0673d9e5

Download Submit
C:\Users\Admin\AppData\Roaming\3ksqk4592KS.exe

Filesize
413KB

MD5
23ecc65f9108e60ccd765c1e3347ed83

SHA1
5145b5f65264875f5d441893cdbc8bf370a3565b

SHA256
0b883655a060c3ae39db71e79e90c5be71148a5c3dc30c9fb9ca770951942b6a

SHA512
3e5960b9f0dd5e07d71a092a468afa94b025c1e90f086c59e0d807adbe2b5b44d3dc99be83709895b85e17fade38c63cdf837097e30ae668088ad12a0673d9e5

Download Submit
C:\Users\Admin\AppData\Roaming\4ksqk4592KS.exe

Filesize
2.4MB

MD5
0eb32fdbc6848121f719a83cf6714ff7

SHA1
20d1abca5f20fbf002bb1072e66156f1d79adf2d

SHA256
9caa6dbd37baaeae941ae38b66ccd65d74715a62433bcd15e036aa0437baa82f

SHA512
31cda597f2e388714ae905f7e1db68770c27110259ff9ed1fbf71ba9477aa98ff58aea757ac7d29a95d654737c031db8b43229ada3ff7e583efb54bee276e4c5

Download Submit
C:\Users\Admin\AppData\Roaming\4ksqk4592KS.exe

Filesize
2.4MB

MD5
0eb32fdbc6848121f719a83cf6714ff7

SHA1
20d1abca5f20fbf002bb1072e66156f1d79adf2d

SHA256
9caa6dbd37baaeae941ae38b66ccd65d74715a62433bcd15e036aa0437baa82f

SHA512
31cda597f2e388714ae905f7e1db68770c27110259ff9ed1fbf71ba9477aa98ff58aea757ac7d29a95d654737c031db8b43229ada3ff7e583efb54bee276e4c5

Download Submit
memory/2604-136-0x00007FFEAEE50000-0x00007FFEAF886000-memory.dmp

Filesize
10.2MB

Download
memory/4160-132-0x00007FFEAEE50000-0x00007FFEAF886000-memory.dmp

Filesize
10.2MB

Download
memory/4984-140-0x0000000000400000-0x000000000118C000-memory.dmp

Filesize
13.5MB

Download
memory/4984-141-0x0000000000400000-0x000000000118C000-memory.dmp

Filesize
13.5MB

Download
memory/4984-142-0x0000000000400000-0x000000000118C000-memory.dmp

Filesize
13.5MB

Download