Analysis Overview
SHA256
190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598
Threat Level: Known bad
The file 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598 was found to be: Known bad.
Malicious Activity Summary
Detects executables referencing many VPN software clients. Observed in infosteslers
StormKitty payload
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Detects executables containing bas64 encoded gzip files
Stormkitty family
Suspicious use of NtCreateUserProcessOtherParentProcess
Detects executables using Telegram Chat Bot
Detects executables referencing many email and collaboration clients. Observed in information stealers
StormKitty
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Detects executables referencing credit card regular expressions
Modifies security service
Detects executables referencing Discord tokens regular expressions
Detects executables containing bas64 encoded gzip files
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Detects executables referencing Discord tokens regular expressions
Detects executables referencing credit card regular expressions
Detects executables referencing many email and collaboration clients. Observed in information stealers
Detects executables using Telegram Chat Bot
Detects executables referencing many VPN software clients. Observed in infosteslers
Sets service image path in registry
Checks computer location settings
Reads user/profile data of web browsers
Checks BIOS information in registry
Executes dropped EXE
Writes to the Master Boot Record (MBR)
Accesses cryptocurrency files/wallets, possible credential harvesting
Accesses Microsoft Outlook profiles
Drops desktop.ini file(s)
Checks installed software on the system
Enumerates connected drives
Looks up external IP address via web service
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Program crash
Enumerates physical storage devices
Enumerates system info in registry
Checks processor information in registry
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of SendNotifyMessage
outlook_office_path
outlook_win_path
Suspicious use of FindShellTrayWindow
Scheduled Task/Job: Scheduled Task
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-30 19:11
Signatures
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing bas64 encoded gzip files
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing Discord tokens regular expressions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing credit card regular expressions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many VPN software clients. Observed in infosteslers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many email and collaboration clients. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables using Telegram Chat Bot
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-30 19:11
Reported
2024-06-30 19:13
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
52s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1492 created 612 | N/A | C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe | C:\Windows\system32\winlogon.exe |
| PID 4416 created 3084 | N/A | C:\Windows\System32\svchost.exe | C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing bas64 encoded gzip files
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing Discord tokens regular expressions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing credit card regular expressions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many VPN software clients. Observed in infosteslers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many email and collaboration clients. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables using Telegram Chat Bot
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\BVRKIPTS\FileGrabber\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\BVRKIPTS\FileGrabber\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\BVRKIPTS\FileGrabber\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\BVRKIPTS\FileGrabber\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\M: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\svchost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1492 set thread context of 3304 | N/A | C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe | C:\Windows\System32\dllhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\Logs\CBS\CBS.log | C:\Windows\servicing\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\servicing\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\MusNotification.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\MusNotification.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\SCHTASKS.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\MusNotification.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\MusNotification.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe
"C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ca473c97-53e8-4289-a4de-be80084ce6a9}
C:\Windows\SYSTEM32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SYSTEM32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe
"C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 9989a1bd24df04ea34b3971146260db8 z1Dd6F96eUKtxFo4ElqgSA.0.1.0.0.0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3084 -ip 3084
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1920
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
Files
memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp
memory/1492-1-0x00000184F8050000-0x00000184F808E000-memory.dmp
memory/1492-2-0x00007FF8B17D3000-0x00007FF8B17D5000-memory.dmp
memory/3304-5-0x0000000140000000-0x0000000140040000-memory.dmp
memory/3304-8-0x00007FF8CF850000-0x00007FF8CFA45000-memory.dmp
memory/3304-10-0x00007FF8CF450000-0x00007FF8CF50E000-memory.dmp
memory/1492-11-0x00007FF8B17D0000-0x00007FF8B2291000-memory.dmp
memory/3304-12-0x0000000140000000-0x0000000140040000-memory.dmp
memory/3304-6-0x0000000140000000-0x0000000140040000-memory.dmp
memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp
memory/3304-7-0x0000000140000000-0x0000000140040000-memory.dmp
memory/1492-4-0x00007FF8CF450000-0x00007FF8CF50E000-memory.dmp
memory/1492-3-0x00007FF8CF850000-0x00007FF8CFA45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe
| MD5 | 0c38328646ce9eb5988a812b1de11b4d |
| SHA1 | e018f0e0be3556a751920817d376215bbcab0233 |
| SHA256 | e04a9860f23388f7a72ba6ba79837c98d8c30647860ad73bdae5c597948d8178 |
| SHA512 | 9834c67b68d0f96e2a0f5a3206367223899fbaeda3ab1f10100b567bbdc4a5121af82941d694af283363638d285e7913917d1702827a624d761c5b8d3c50c179 |
memory/956-37-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp
memory/956-44-0x00007FF8CF8EC000-0x00007FF8CF8ED000-memory.dmp
memory/956-43-0x0000020E8AED0000-0x0000020E8AEFA000-memory.dmp
memory/1128-64-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp
memory/1216-75-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp
memory/1216-74-0x000001B99A630000-0x000001B99A65A000-memory.dmp
memory/1492-154-0x00007FF8B17D0000-0x00007FF8B2291000-memory.dmp
memory/1120-179-0x000001CDB6360000-0x000001CDB638A000-memory.dmp
memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp
memory/512-177-0x000002678C9D0000-0x000002678C9FA000-memory.dmp
memory/388-176-0x00000205C32D0000-0x00000205C32FA000-memory.dmp
memory/1208-72-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp
memory/1208-71-0x000001F2FA330000-0x000001F2FA35A000-memory.dmp
memory/1136-67-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp
memory/1136-66-0x00000217174B0000-0x00000217174DA000-memory.dmp
memory/1128-63-0x0000015065B40000-0x0000015065B6A000-memory.dmp
memory/1120-61-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp
memory/1120-60-0x000001CDB6360000-0x000001CDB638A000-memory.dmp
memory/512-55-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp
memory/512-54-0x000002678C9D0000-0x000002678C9FA000-memory.dmp
memory/388-51-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp
memory/388-50-0x00000205C32D0000-0x00000205C32FA000-memory.dmp
memory/316-42-0x000001D0F0AC0000-0x000001D0F0AEA000-memory.dmp
memory/680-41-0x000001808DAB0000-0x000001808DADA000-memory.dmp
memory/612-40-0x00007FF8CF8ED000-0x00007FF8CF8EE000-memory.dmp
memory/612-39-0x000001C015010000-0x000001C01503A000-memory.dmp
memory/956-36-0x0000020E8AED0000-0x0000020E8AEFA000-memory.dmp
memory/316-34-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp
memory/316-33-0x000001D0F0AC0000-0x000001D0F0AEA000-memory.dmp
memory/680-29-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp
memory/680-28-0x000001808DAB0000-0x000001808DADA000-memory.dmp
memory/612-24-0x000001C015010000-0x000001C01503A000-memory.dmp
memory/612-25-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp
memory/612-23-0x000001C014F70000-0x000001C014F93000-memory.dmp
memory/3084-304-0x0000000005E30000-0x0000000005EC2000-memory.dmp
memory/3084-305-0x0000000006480000-0x0000000006A24000-memory.dmp
memory/3084-307-0x0000000006300000-0x0000000006366000-memory.dmp
memory/956-401-0x0000020E8AED0000-0x0000020E8AEFA000-memory.dmp
memory/316-400-0x000001D0F0AC0000-0x000001D0F0AEA000-memory.dmp
memory/680-399-0x000001808DAB0000-0x000001808DADA000-memory.dmp
memory/612-398-0x000001C015010000-0x000001C01503A000-memory.dmp
C:\Users\Admin\AppData\Roaming\BVRKIPTS\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-30 19:11
Reported
2024-06-30 19:13
Platform
win7-20240508-en
Max time kernel
132s
Max time network
122s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP | C:\Windows\System32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection | C:\Windows\System32\svchost.exe | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1932 created 432 | N/A | C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe | C:\Windows\system32\winlogon.exe |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing bas64 encoded gzip files
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing Discord tokens regular expressions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing credit card regular expressions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many VPN software clients. Observed in infosteslers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many email and collaboration clients. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables using Telegram Chat Bot
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\ProgramData\UHRQKJCP\FileGrabber\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe | N/A |
| File created | C:\ProgramData\UHRQKJCP\FileGrabber\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe | N/A |
| File created | C:\ProgramData\UHRQKJCP\FileGrabber\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Tasks\$77190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\system32\PerfStringBackup.INI | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\System32\Tasks\$77190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\PerfStringBackup.TMP | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\wbem\Performance\WmiApRpl_new.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh007.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh00A.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc00A.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc00C.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1932 set thread context of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe | C:\Windows\System32\dllhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\system32\SCHTASKS.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe
"C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{4f2ac900-35f2-436e-bcb2-54ce61cb99c2}
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "148425150813318597927561939761094637866-20629699181079132338-1170122278791387399"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2026913416326333341209631997-1792651647408821924-2014287331461996794718441696"
C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe
"C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 172.67.160.84:443 | freegeoip.app | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 104.21.85.189:443 | ipbase.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/1932-0-0x000007FEF5F43000-0x000007FEF5F44000-memory.dmp
memory/1932-1-0x0000000000830000-0x00000000008C2000-memory.dmp
memory/1932-2-0x0000000000370000-0x00000000003AE000-memory.dmp
memory/1932-3-0x0000000077B30000-0x0000000077CD9000-memory.dmp
memory/1932-4-0x0000000077A10000-0x0000000077B2F000-memory.dmp
memory/2556-9-0x0000000077A10000-0x0000000077B2F000-memory.dmp
memory/1932-10-0x00000000007D0000-0x0000000000826000-memory.dmp
memory/2556-11-0x0000000140000000-0x0000000140040000-memory.dmp
memory/2556-8-0x0000000077B30000-0x0000000077CD9000-memory.dmp
memory/2556-7-0x0000000140000000-0x0000000140040000-memory.dmp
memory/432-17-0x000007FEBFD90000-0x000007FEBFDA0000-memory.dmp
memory/476-22-0x00000000000E0000-0x000000000010A000-memory.dmp
memory/492-63-0x0000000037B70000-0x0000000037B80000-memory.dmp
memory/500-67-0x0000000037B70000-0x0000000037B80000-memory.dmp
memory/500-66-0x000007FEBFD90000-0x000007FEBFDA0000-memory.dmp
memory/500-65-0x00000000007F0000-0x000000000081A000-memory.dmp
memory/492-62-0x000007FEBFD90000-0x000007FEBFDA0000-memory.dmp
memory/492-61-0x0000000000240000-0x000000000026A000-memory.dmp
memory/476-59-0x0000000037B70000-0x0000000037B80000-memory.dmp
memory/476-58-0x000007FEBFD90000-0x000007FEBFDA0000-memory.dmp
memory/432-18-0x0000000037B70000-0x0000000037B80000-memory.dmp
memory/432-16-0x0000000000BA0000-0x0000000000BCA000-memory.dmp
memory/432-15-0x0000000000380000-0x00000000003A3000-memory.dmp
memory/432-13-0x0000000000380000-0x00000000003A3000-memory.dmp
memory/1932-177-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp
memory/2556-5-0x0000000140000000-0x0000000140040000-memory.dmp
memory/2556-179-0x0000000077B31000-0x0000000077C32000-memory.dmp
memory/1932-178-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp
memory/1932-187-0x0000000000580000-0x0000000000600000-memory.dmp
memory/596-186-0x0000000000500000-0x000000000052A000-memory.dmp
memory/500-185-0x00000000007F0000-0x000000000081A000-memory.dmp
memory/492-184-0x0000000000240000-0x000000000026A000-memory.dmp
memory/476-183-0x00000000000E0000-0x000000000010A000-memory.dmp
memory/432-182-0x0000000077B81000-0x0000000077B82000-memory.dmp
memory/432-181-0x0000000000BA0000-0x0000000000BCA000-memory.dmp
memory/2556-180-0x0000000077B30000-0x0000000077CD9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe
| MD5 | 0c38328646ce9eb5988a812b1de11b4d |
| SHA1 | e018f0e0be3556a751920817d376215bbcab0233 |
| SHA256 | e04a9860f23388f7a72ba6ba79837c98d8c30647860ad73bdae5c597948d8178 |
| SHA512 | 9834c67b68d0f96e2a0f5a3206367223899fbaeda3ab1f10100b567bbdc4a5121af82941d694af283363638d285e7913917d1702827a624d761c5b8d3c50c179 |
memory/1932-201-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp
memory/528-202-0x0000000001340000-0x0000000001396000-memory.dmp
C:\ProgramData\UHRQKJCP\FileGrabber\Desktop\ConvertToExport.jpeg
| MD5 | 3c51fed1392995e3fd0a17623f1e012d |
| SHA1 | 3f06fc9cc814405cabfd66f0942c18bea3492100 |
| SHA256 | af1a63fd595700068badb8ee5b83ce0317be9a807298d5ba4c01021b2d792b6f |
| SHA512 | 74a8e4965cdb67866f16d1b2443f859aea286d7e6eaaf5c594fcbdcf98b7877020675084f823d5b877602bb6d8384e9d96e2a9481c48e07f6af5f07afb86c3bb |
C:\ProgramData\UHRQKJCP\FileGrabber\Documents\ApproveFormat.rtf
| MD5 | dd4e8311a1925e874735378a136afe80 |
| SHA1 | 1be721cb8674f5cdc756ad6178190359c46fe417 |
| SHA256 | 61335cd297cbda297d2c5903d789cea9d3f3fa0b675ab31e2c709c05f6ac6fba |
| SHA512 | 597f6feea701e6b01c205df3cee301f4c06d4c7e92033edf7abd1f42c94399a0494e44e292e711c2f1f37d8a35d95b05efd81da14161c33ac19c2ee96b0c6191 |
C:\ProgramData\UHRQKJCP\FileGrabber\Downloads\ConvertToExpand.png
| MD5 | d8dceb4add066589d5b8626804be0e3f |
| SHA1 | 051a7ee680ad78db2b217dc483c84a29e206bc54 |
| SHA256 | 091d040f02a615ffa5abad226601023bc9c595f7fea29390384bcc09a2e19d5c |
| SHA512 | d8e82b4a02b77f8fe8cb9cd55ecc5061a4aa04d802474b4cab0a1e0abb6dc1068775b7cc79f6f933189285fc474d6014c3ca550ae4922b9d217e94d03f5a32ee |
C:\ProgramData\UHRQKJCP\FileGrabber\Downloads\EnableSet.doc
| MD5 | 50c47f5631c26748144cb0822e24cbbc |
| SHA1 | 63f6394d13c9f02ef7d1669d13a4e4ab1dcc967c |
| SHA256 | 94e0127b5992ec81ea740d25a07fe87c4d4b9a339b526d8bd372aa1d22a172bc |
| SHA512 | b38062943dfa0b4d20de618d59e5b24fa7c2a566e8e610accdc67170b5c888e2b37fb52bbe5d1d1bfcc6ec0de12f8befb5e6ce138d5c0f29b03b9d70519f3d51 |
C:\ProgramData\UHRQKJCP\FileGrabber\Pictures\ResetPublish.svg
| MD5 | 55687d58ee31ac3e7d76d71f9c2e4015 |
| SHA1 | 3ad8a0673afbbee3b91b558df3dcb92883348cdd |
| SHA256 | 1e6b03301e1a92859db62a720e1292ca6d930651537e9cf21d08cd07c7dd76e6 |
| SHA512 | 3399fa6c2e32e43a5fd1d240a1811dc1413ca2235c67aebfb69fcd31c51f2f8f931345d10c2ace5d63b7362f0bffcb6f956a79a2726f03d3879111f1d2c9b051 |
C:\ProgramData\UHRQKJCP\FileGrabber\Pictures\SetDebug.jpg
| MD5 | 5597b6f6af184271cf5c699ec4e14091 |
| SHA1 | 522c507fc336db666412ff37f1e1f2134a246228 |
| SHA256 | 45fdaaa071752420ae87ad2da988c47675443e2e5e21ef36d0d38868a815fb5e |
| SHA512 | b7d2d9f735c7cd24710d69be7e5c2317065d01c2b234b486849a5a197c3d84f53ef5a71e1ef448c2e5a5d5476ef1f05d4fc55e0ab9843d177633fb7e5eaaf914 |
memory/432-732-0x0000000000BA0000-0x0000000000BCA000-memory.dmp
memory/476-733-0x00000000000E0000-0x000000000010A000-memory.dmp
memory/492-734-0x0000000000240000-0x000000000026A000-memory.dmp
memory/596-736-0x0000000000500000-0x000000000052A000-memory.dmp
memory/500-735-0x00000000007F0000-0x000000000081A000-memory.dmp
C:\Windows\System32\wbem\Performance\WmiApRpl.h
| MD5 | b133a676d139032a27de3d9619e70091 |
| SHA1 | 1248aa89938a13640252a79113930ede2f26f1fa |
| SHA256 | ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15 |
| SHA512 | c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5 |
C:\Windows\System32\wbem\Performance\WmiApRpl.ini
| MD5 | 46d08e3a55f007c523ac64dce6dcf478 |
| SHA1 | 62edf88697e98d43f32090a2197bead7e7244245 |
| SHA256 | 5b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614 |
| SHA512 | b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42 |
C:\Windows\System32\perfc011.dat
| MD5 | 1f998386566e5f9b7f11cc79254d1820 |
| SHA1 | e1da5fe1f305099b94de565d06bc6f36c6794481 |
| SHA256 | 1665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea |
| SHA512 | a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f |
C:\Windows\System32\perfh007.dat
| MD5 | 5026297c7c445e7f6f705906a6f57c02 |
| SHA1 | 4ec3b66d44b0d44ec139bd1475afd100748f9e91 |
| SHA256 | 506d3bec72805973df3b2e11aba4d074aeb4b26b7335536e79ea1145108817cc |
| SHA512 | 5be8e51ecacda465b905df3e38ac114240d8fa6bae5bb17e8e53a87630454b57514ca0abbd8afefd798d450cd4ee89caf4391eeb837ced384260c188482fb48d |
C:\Windows\System32\perfc007.dat
| MD5 | 0f3d76321f0a7986b42b25a3aa554f82 |
| SHA1 | 7036bba62109cc25da5d6a84d22b6edb954987c0 |
| SHA256 | dfad62e3372760d303f7337fe290e4cb28e714caadd3c59294b77968d81fe460 |
| SHA512 | bb02a3f14d47d233fbda046f61bbf5612ebc6213b156af9c47f56733a03df1bb484d1c3576569eb4499d7b378eb01f4d6e906c36c6f71738482584c2e84b47d0 |
C:\Windows\System32\perfh009.dat
| MD5 | 1c678ee06bd02b5d9e4d51c3a4ec2d2b |
| SHA1 | 90aa7fdfaaa37fb4f2edfc8efc3994871087dedb |
| SHA256 | 2d168ab31836a08d8ca00aab9685f040aac4052a7f10fbbf0c28e9f880a79dd3 |
| SHA512 | ec665d7a20f27b2a0fe2475883009c6d34615cc2046d096de447ef57bcac9da0ae842be0556f5736f42d9c1c601fb8629896a2444990e508f7c573165088ab32 |
C:\Windows\System32\perfc00A.dat
| MD5 | 540138285295c68de32a419b7d9de687 |
| SHA1 | 1cf6a2a0f53f0516ff9fe5ac733dbb5a9255ae56 |
| SHA256 | 33867c52f756f2b0f645f4bd503c65969d73676dcb14e6a6fdb2ffb11c7562eb |
| SHA512 | 7c17c10d4b6165aa0c208811dc6d98e2f4e75e3da1cc2313cc7da9d657626beb3e4ec00b07b71376a7c549725d40db20d8952753e70acc86e87a8390e224a64a |
C:\Windows\System32\perfh00A.dat
| MD5 | 340af83514a525c50ffbbf8475ed62b7 |
| SHA1 | e2f382ae75afe7df8a323320bbb2aafa1ff6e407 |
| SHA256 | fb298e9a90476b4698def395a8ee1974c1cee3959b658662c730da915caea417 |
| SHA512 | 8236aab579456ef4614ddd5fbfe72d0b0b26617c43a9cd53c3de56d3ac052eee8ca7d70749aaca0692855ecd4fd5f1460ac0b1dd30481dee519b910755c1cc2d |
C:\Windows\System32\perfc00C.dat
| MD5 | 831dbe568992299e589143ee8898e131 |
| SHA1 | 737726173aab8b76fe1f98104d72bb91abd273bf |
| SHA256 | 4f22ef1625fb2a2370779d0992f80b8e5e5da8dc727aa99ade152044d28e9405 |
| SHA512 | 39015d29d593c9df59cdafbff95a6ddc000a5dbf767665b65f8ec65751e70315918c93d3583b922d32e9b6261b8c07023da660098ca79c5420b782c150b5c139 |
C:\Windows\System32\perfh00C.dat
| MD5 | 5f684ce126de17a7d4433ed2494c5ca9 |
| SHA1 | ce1a30a477daa1bac2ec358ce58731429eafe911 |
| SHA256 | 2e2ba0c47e71991d646ec380cde47f44318d695e6f3f56ec095955a129af1c2c |
| SHA512 | 4d0c2669b5002da14d44c21dc2f521fb37b6b41b61bca7b2a9af7c03f616dda9ca825f79a81d3401af626a90017654f9221a6ccc83010ff73de71967fc2f3f5b |
C:\Windows\System32\perfh010.dat
| MD5 | 4623482c106cf6cc1bac198f31787b65 |
| SHA1 | 5abb0decf7b42ef5daf7db012a742311932f6dad |
| SHA256 | eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349 |
| SHA512 | afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f |
C:\Windows\System32\perfc010.dat
| MD5 | cf82e7354e591c1408eb2cc0e29dd274 |
| SHA1 | 7e91bd50c3e6b64b81e2b5c1ce723f52e34748e9 |
| SHA256 | 59b5e6fbbe68f47db14a3c045b0ac1abb026c626ca4bee708fbd3940e6d2e06d |
| SHA512 | 98bd4809c1c418be4100096bc9df328d2ad435c5615c082fa2bfa424935203107015862cd9c1737800b7f7bd020fea4538c325707927c1557bc3efebffb27620 |
C:\Windows\System32\perfh011.dat
| MD5 | 24da30cbb5f0fe4939862880e72cc32c |
| SHA1 | 9132497736f52dae62b79be1677c05e32a7ba2ab |
| SHA256 | a11a4228f8485db2f90466651f6cab07245a8ff5b3448636ab0abc4d618a4a1f |
| SHA512 | 332a57e8f0e8d7f82044f90388afd7509768ecb3f657c6be12d1f51ec1c66b8886c30d4b4a42d3a64c3e0d8b76d7cc86a1ac3b92713a68a62c12fdae6a77d6c2 |