Malware Analysis Report

2024-09-23 02:46

Sample ID 240630-xvyvpssgpe
Target 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598
SHA256 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598
Tags
stormkitty bootkit collection discovery persistence spyware stealer evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598

Threat Level: Known bad

The file 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598 was found to be: Known bad.

Malicious Activity Summary

stormkitty bootkit collection discovery persistence spyware stealer evasion

Detects executables referencing many VPN software clients. Observed in infosteslers

StormKitty payload

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables containing bas64 encoded gzip files

Stormkitty family

Suspicious use of NtCreateUserProcessOtherParentProcess

Detects executables using Telegram Chat Bot

Detects executables referencing many email and collaboration clients. Observed in information stealers

StormKitty

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing credit card regular expressions

Modifies security service

Detects executables referencing Discord tokens regular expressions

Detects executables containing bas64 encoded gzip files

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing Discord tokens regular expressions

Detects executables referencing credit card regular expressions

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables using Telegram Chat Bot

Detects executables referencing many VPN software clients. Observed in infosteslers

Sets service image path in registry

Checks computer location settings

Reads user/profile data of web browsers

Checks BIOS information in registry

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses Microsoft Outlook profiles

Drops desktop.ini file(s)

Checks installed software on the system

Enumerates connected drives

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Enumerates system info in registry

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

outlook_office_path

outlook_win_path

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-30 19:11

Signatures

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing bas64 encoded gzip files

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing Discord tokens regular expressions

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing credit card regular expressions

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many VPN software clients. Observed in infosteslers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables using Telegram Chat Bot

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-30 19:11

Reported

2024-06-30 19:13

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

52s

Command Line

winlogon.exe

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing bas64 encoded gzip files

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing Discord tokens regular expressions

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing credit card regular expressions

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many VPN software clients. Observed in infosteslers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables using Telegram Chat Bot

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" C:\Windows\System32\WaaSMedicAgent.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\BVRKIPTS\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe N/A
File created C:\Users\Admin\AppData\Roaming\BVRKIPTS\FileGrabber\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe N/A
File created C:\Users\Admin\AppData\Roaming\BVRKIPTS\FileGrabber\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe N/A
File created C:\Users\Admin\AppData\Roaming\BVRKIPTS\FileGrabber\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Windows\system32\wbem\wmiprvse.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx C:\Windows\System32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1492 set thread context of 3304 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File created C:\Windows\Logs\CBS\CBS.log C:\Windows\servicing\TrustedInstaller.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\servicing\TrustedInstaller.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\svchost.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotification.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotification.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WaaSMedicAgent.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\SCHTASKS.exe N/A
N/A N/A C:\Windows\SYSTEM32\SCHTASKS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\MusNotification.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\MusNotification.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1492 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1492 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1492 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1492 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1492 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1492 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1492 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1492 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1492 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1492 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1492 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1492 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\SYSTEM32\SCHTASKS.exe
PID 1492 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\SYSTEM32\SCHTASKS.exe
PID 1492 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\SYSTEM32\SCHTASKS.exe
PID 1492 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\SYSTEM32\SCHTASKS.exe
PID 3304 wrote to memory of 612 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 3304 wrote to memory of 680 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 3304 wrote to memory of 956 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 316 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 1492 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe
PID 1492 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe
PID 1492 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe
PID 680 wrote to memory of 2812 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 3304 wrote to memory of 388 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 512 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3304 wrote to memory of 1120 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3304 wrote to memory of 1128 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 1136 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 1208 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 1216 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3304 wrote to memory of 1316 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 1344 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 1396 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 1456 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 1564 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 1572 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3304 wrote to memory of 1644 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3304 wrote to memory of 1696 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 1740 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3304 wrote to memory of 1768 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3304 wrote to memory of 1820 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3304 wrote to memory of 1868 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 1876 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3304 wrote to memory of 1940 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3304 wrote to memory of 2032 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 2040 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 3304 wrote to memory of 2116 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3304 wrote to memory of 2220 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 2256 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3304 wrote to memory of 2460 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 2468 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 2612 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\sihost.exe
PID 3304 wrote to memory of 2628 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 2672 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 2752 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 2812 N/A C:\Windows\System32\dllhost.exe C:\Windows\sysmon.exe
PID 3304 wrote to memory of 2828 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 2836 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3304 wrote to memory of 2900 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\taskhostw.exe
PID 3304 wrote to memory of 3108 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 3196 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\wbem\unsecapp.exe
PID 3304 wrote to memory of 3468 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 3564 N/A C:\Windows\System32\dllhost.exe C:\Windows\Explorer.EXE
PID 3304 wrote to memory of 3664 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\MusNotification.exe

C:\Windows\system32\MusNotification.exe

C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe

"C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{ca473c97-53e8-4289-a4de-be80084ce6a9}

C:\Windows\SYSTEM32\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SYSTEM32\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe'" /sc onlogon /rl HIGHEST

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe

"C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 9989a1bd24df04ea34b3971146260db8 z1Dd6F96eUKtxFo4ElqgSA.0.1.0.0.0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3084 -ip 3084

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1920

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 freegeoip.app udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp

Files

memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp

memory/1492-1-0x00000184F8050000-0x00000184F808E000-memory.dmp

memory/1492-2-0x00007FF8B17D3000-0x00007FF8B17D5000-memory.dmp

memory/3304-5-0x0000000140000000-0x0000000140040000-memory.dmp

memory/3304-8-0x00007FF8CF850000-0x00007FF8CFA45000-memory.dmp

memory/3304-10-0x00007FF8CF450000-0x00007FF8CF50E000-memory.dmp

memory/1492-11-0x00007FF8B17D0000-0x00007FF8B2291000-memory.dmp

memory/3304-12-0x0000000140000000-0x0000000140040000-memory.dmp

memory/3304-6-0x0000000140000000-0x0000000140040000-memory.dmp

memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp

memory/3304-7-0x0000000140000000-0x0000000140040000-memory.dmp

memory/1492-4-0x00007FF8CF450000-0x00007FF8CF50E000-memory.dmp

memory/1492-3-0x00007FF8CF850000-0x00007FF8CFA45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe

MD5 0c38328646ce9eb5988a812b1de11b4d
SHA1 e018f0e0be3556a751920817d376215bbcab0233
SHA256 e04a9860f23388f7a72ba6ba79837c98d8c30647860ad73bdae5c597948d8178
SHA512 9834c67b68d0f96e2a0f5a3206367223899fbaeda3ab1f10100b567bbdc4a5121af82941d694af283363638d285e7913917d1702827a624d761c5b8d3c50c179

memory/956-37-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

memory/956-44-0x00007FF8CF8EC000-0x00007FF8CF8ED000-memory.dmp

memory/956-43-0x0000020E8AED0000-0x0000020E8AEFA000-memory.dmp

memory/1128-64-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

memory/1216-75-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

memory/1216-74-0x000001B99A630000-0x000001B99A65A000-memory.dmp

memory/1492-154-0x00007FF8B17D0000-0x00007FF8B2291000-memory.dmp

memory/1120-179-0x000001CDB6360000-0x000001CDB638A000-memory.dmp

memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp

memory/512-177-0x000002678C9D0000-0x000002678C9FA000-memory.dmp

memory/388-176-0x00000205C32D0000-0x00000205C32FA000-memory.dmp

memory/1208-72-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

memory/1208-71-0x000001F2FA330000-0x000001F2FA35A000-memory.dmp

memory/1136-67-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

memory/1136-66-0x00000217174B0000-0x00000217174DA000-memory.dmp

memory/1128-63-0x0000015065B40000-0x0000015065B6A000-memory.dmp

memory/1120-61-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

memory/1120-60-0x000001CDB6360000-0x000001CDB638A000-memory.dmp

memory/512-55-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

memory/512-54-0x000002678C9D0000-0x000002678C9FA000-memory.dmp

memory/388-51-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

memory/388-50-0x00000205C32D0000-0x00000205C32FA000-memory.dmp

memory/316-42-0x000001D0F0AC0000-0x000001D0F0AEA000-memory.dmp

memory/680-41-0x000001808DAB0000-0x000001808DADA000-memory.dmp

memory/612-40-0x00007FF8CF8ED000-0x00007FF8CF8EE000-memory.dmp

memory/612-39-0x000001C015010000-0x000001C01503A000-memory.dmp

memory/956-36-0x0000020E8AED0000-0x0000020E8AEFA000-memory.dmp

memory/316-34-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

memory/316-33-0x000001D0F0AC0000-0x000001D0F0AEA000-memory.dmp

memory/680-29-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

memory/680-28-0x000001808DAB0000-0x000001808DADA000-memory.dmp

memory/612-24-0x000001C015010000-0x000001C01503A000-memory.dmp

memory/612-25-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

memory/612-23-0x000001C014F70000-0x000001C014F93000-memory.dmp

memory/3084-304-0x0000000005E30000-0x0000000005EC2000-memory.dmp

memory/3084-305-0x0000000006480000-0x0000000006A24000-memory.dmp

memory/3084-307-0x0000000006300000-0x0000000006366000-memory.dmp

memory/956-401-0x0000020E8AED0000-0x0000020E8AEFA000-memory.dmp

memory/316-400-0x000001D0F0AC0000-0x000001D0F0AEA000-memory.dmp

memory/680-399-0x000001808DAB0000-0x000001808DADA000-memory.dmp

memory/612-398-0x000001C015010000-0x000001C01503A000-memory.dmp

C:\Users\Admin\AppData\Roaming\BVRKIPTS\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-30 19:11

Reported

2024-06-30 19:13

Platform

win7-20240508-en

Max time kernel

132s

Max time network

122s

Command Line

winlogon.exe

Signatures

Modifies security service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP C:\Windows\System32\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection C:\Windows\System32\svchost.exe N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1932 created 432 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\system32\winlogon.exe

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing bas64 encoded gzip files

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing Discord tokens regular expressions

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing credit card regular expressions

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many VPN software clients. Observed in infosteslers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables using Telegram Chat Bot

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\ProgramData\UHRQKJCP\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe N/A
File created C:\ProgramData\UHRQKJCP\FileGrabber\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe N/A
File created C:\ProgramData\UHRQKJCP\FileGrabber\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Tasks\$77190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\system32\PerfStringBackup.INI C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\System32\Tasks\$77190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\perfh010.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\PerfStringBackup.TMP C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh007.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh00A.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc010.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc007.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc00A.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc00C.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh00C.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc011.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1932 set thread context of 2556 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\wbem\WMIADAP.EXE N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\SCHTASKS.exe N/A
N/A N/A C:\Windows\system32\SCHTASKS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1932 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1932 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1932 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1932 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1932 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1932 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1932 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1932 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1932 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1932 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1932 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\System32\dllhost.exe
PID 1932 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\system32\SCHTASKS.exe
PID 1932 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\system32\SCHTASKS.exe
PID 1932 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\system32\SCHTASKS.exe
PID 1932 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\system32\SCHTASKS.exe
PID 1932 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\system32\SCHTASKS.exe
PID 1932 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Windows\system32\SCHTASKS.exe
PID 2556 wrote to memory of 432 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 2556 wrote to memory of 476 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\services.exe
PID 2556 wrote to memory of 492 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 2556 wrote to memory of 500 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsm.exe
PID 2556 wrote to memory of 596 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2556 wrote to memory of 672 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2556 wrote to memory of 748 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2556 wrote to memory of 816 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2556 wrote to memory of 852 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2556 wrote to memory of 964 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2556 wrote to memory of 112 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2556 wrote to memory of 280 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 2556 wrote to memory of 1068 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2556 wrote to memory of 1092 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\taskhost.exe
PID 2556 wrote to memory of 1168 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\Dwm.exe
PID 2556 wrote to memory of 1196 N/A C:\Windows\System32\dllhost.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 804 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe
PID 2556 wrote to memory of 2996 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2556 wrote to memory of 1684 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\sppsvc.exe
PID 2556 wrote to memory of 1932 N/A C:\Windows\System32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe
PID 2556 wrote to memory of 2804 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\SCHTASKS.exe
PID 2556 wrote to memory of 2656 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\conhost.exe
PID 2556 wrote to memory of 1916 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\SCHTASKS.exe
PID 2556 wrote to memory of 2580 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\conhost.exe
PID 1932 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe
PID 1932 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe
PID 1932 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe
PID 1932 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe
PID 1932 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe
PID 1932 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe
PID 1932 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe
PID 492 wrote to memory of 528 N/A C:\Windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe
PID 492 wrote to memory of 528 N/A C:\Windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe
PID 492 wrote to memory of 528 N/A C:\Windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe
PID 492 wrote to memory of 528 N/A C:\Windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe
PID 492 wrote to memory of 528 N/A C:\Windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe
PID 492 wrote to memory of 528 N/A C:\Windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe
PID 492 wrote to memory of 528 N/A C:\Windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe
PID 492 wrote to memory of 528 N/A C:\Windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe
PID 492 wrote to memory of 528 N/A C:\Windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe
PID 596 wrote to memory of 1744 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 596 wrote to memory of 1744 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 596 wrote to memory of 1744 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 2556 wrote to memory of 1744 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 2556 wrote to memory of 1744 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 492 wrote to memory of 1744 N/A C:\Windows\system32\lsass.exe C:\Windows\system32\wbem\wmiprvse.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe

"C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{4f2ac900-35f2-436e-bcb2-54ce61cb99c2}

C:\Windows\system32\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe'" /sc onlogon /rl HIGHEST

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "148425150813318597927561939761094637866-20629699181079132338-1170122278791387399"

C:\Windows\system32\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe'" /sc onlogon /rl HIGHEST

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2026913416326333341209631997-1792651647408821924-2014287331461996794718441696"

C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe

"C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 freegeoip.app udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 172.67.160.84:443 freegeoip.app tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 ipbase.com udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 104.21.85.189:443 ipbase.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/1932-0-0x000007FEF5F43000-0x000007FEF5F44000-memory.dmp

memory/1932-1-0x0000000000830000-0x00000000008C2000-memory.dmp

memory/1932-2-0x0000000000370000-0x00000000003AE000-memory.dmp

memory/1932-3-0x0000000077B30000-0x0000000077CD9000-memory.dmp

memory/1932-4-0x0000000077A10000-0x0000000077B2F000-memory.dmp

memory/2556-9-0x0000000077A10000-0x0000000077B2F000-memory.dmp

memory/1932-10-0x00000000007D0000-0x0000000000826000-memory.dmp

memory/2556-11-0x0000000140000000-0x0000000140040000-memory.dmp

memory/2556-8-0x0000000077B30000-0x0000000077CD9000-memory.dmp

memory/2556-7-0x0000000140000000-0x0000000140040000-memory.dmp

memory/432-17-0x000007FEBFD90000-0x000007FEBFDA0000-memory.dmp

memory/476-22-0x00000000000E0000-0x000000000010A000-memory.dmp

memory/492-63-0x0000000037B70000-0x0000000037B80000-memory.dmp

memory/500-67-0x0000000037B70000-0x0000000037B80000-memory.dmp

memory/500-66-0x000007FEBFD90000-0x000007FEBFDA0000-memory.dmp

memory/500-65-0x00000000007F0000-0x000000000081A000-memory.dmp

memory/492-62-0x000007FEBFD90000-0x000007FEBFDA0000-memory.dmp

memory/492-61-0x0000000000240000-0x000000000026A000-memory.dmp

memory/476-59-0x0000000037B70000-0x0000000037B80000-memory.dmp

memory/476-58-0x000007FEBFD90000-0x000007FEBFDA0000-memory.dmp

memory/432-18-0x0000000037B70000-0x0000000037B80000-memory.dmp

memory/432-16-0x0000000000BA0000-0x0000000000BCA000-memory.dmp

memory/432-15-0x0000000000380000-0x00000000003A3000-memory.dmp

memory/432-13-0x0000000000380000-0x00000000003A3000-memory.dmp

memory/1932-177-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

memory/2556-5-0x0000000140000000-0x0000000140040000-memory.dmp

memory/2556-179-0x0000000077B31000-0x0000000077C32000-memory.dmp

memory/1932-178-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

memory/1932-187-0x0000000000580000-0x0000000000600000-memory.dmp

memory/596-186-0x0000000000500000-0x000000000052A000-memory.dmp

memory/500-185-0x00000000007F0000-0x000000000081A000-memory.dmp

memory/492-184-0x0000000000240000-0x000000000026A000-memory.dmp

memory/476-183-0x00000000000E0000-0x000000000010A000-memory.dmp

memory/432-182-0x0000000077B81000-0x0000000077B82000-memory.dmp

memory/432-181-0x0000000000BA0000-0x0000000000BCA000-memory.dmp

memory/2556-180-0x0000000077B30000-0x0000000077CD9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kez0zoaa.3lk.exe

MD5 0c38328646ce9eb5988a812b1de11b4d
SHA1 e018f0e0be3556a751920817d376215bbcab0233
SHA256 e04a9860f23388f7a72ba6ba79837c98d8c30647860ad73bdae5c597948d8178
SHA512 9834c67b68d0f96e2a0f5a3206367223899fbaeda3ab1f10100b567bbdc4a5121af82941d694af283363638d285e7913917d1702827a624d761c5b8d3c50c179

memory/1932-201-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

memory/528-202-0x0000000001340000-0x0000000001396000-memory.dmp

C:\ProgramData\UHRQKJCP\FileGrabber\Desktop\ConvertToExport.jpeg

MD5 3c51fed1392995e3fd0a17623f1e012d
SHA1 3f06fc9cc814405cabfd66f0942c18bea3492100
SHA256 af1a63fd595700068badb8ee5b83ce0317be9a807298d5ba4c01021b2d792b6f
SHA512 74a8e4965cdb67866f16d1b2443f859aea286d7e6eaaf5c594fcbdcf98b7877020675084f823d5b877602bb6d8384e9d96e2a9481c48e07f6af5f07afb86c3bb

C:\ProgramData\UHRQKJCP\FileGrabber\Documents\ApproveFormat.rtf

MD5 dd4e8311a1925e874735378a136afe80
SHA1 1be721cb8674f5cdc756ad6178190359c46fe417
SHA256 61335cd297cbda297d2c5903d789cea9d3f3fa0b675ab31e2c709c05f6ac6fba
SHA512 597f6feea701e6b01c205df3cee301f4c06d4c7e92033edf7abd1f42c94399a0494e44e292e711c2f1f37d8a35d95b05efd81da14161c33ac19c2ee96b0c6191

C:\ProgramData\UHRQKJCP\FileGrabber\Downloads\ConvertToExpand.png

MD5 d8dceb4add066589d5b8626804be0e3f
SHA1 051a7ee680ad78db2b217dc483c84a29e206bc54
SHA256 091d040f02a615ffa5abad226601023bc9c595f7fea29390384bcc09a2e19d5c
SHA512 d8e82b4a02b77f8fe8cb9cd55ecc5061a4aa04d802474b4cab0a1e0abb6dc1068775b7cc79f6f933189285fc474d6014c3ca550ae4922b9d217e94d03f5a32ee

C:\ProgramData\UHRQKJCP\FileGrabber\Downloads\EnableSet.doc

MD5 50c47f5631c26748144cb0822e24cbbc
SHA1 63f6394d13c9f02ef7d1669d13a4e4ab1dcc967c
SHA256 94e0127b5992ec81ea740d25a07fe87c4d4b9a339b526d8bd372aa1d22a172bc
SHA512 b38062943dfa0b4d20de618d59e5b24fa7c2a566e8e610accdc67170b5c888e2b37fb52bbe5d1d1bfcc6ec0de12f8befb5e6ce138d5c0f29b03b9d70519f3d51

C:\ProgramData\UHRQKJCP\FileGrabber\Pictures\ResetPublish.svg

MD5 55687d58ee31ac3e7d76d71f9c2e4015
SHA1 3ad8a0673afbbee3b91b558df3dcb92883348cdd
SHA256 1e6b03301e1a92859db62a720e1292ca6d930651537e9cf21d08cd07c7dd76e6
SHA512 3399fa6c2e32e43a5fd1d240a1811dc1413ca2235c67aebfb69fcd31c51f2f8f931345d10c2ace5d63b7362f0bffcb6f956a79a2726f03d3879111f1d2c9b051

C:\ProgramData\UHRQKJCP\FileGrabber\Pictures\SetDebug.jpg

MD5 5597b6f6af184271cf5c699ec4e14091
SHA1 522c507fc336db666412ff37f1e1f2134a246228
SHA256 45fdaaa071752420ae87ad2da988c47675443e2e5e21ef36d0d38868a815fb5e
SHA512 b7d2d9f735c7cd24710d69be7e5c2317065d01c2b234b486849a5a197c3d84f53ef5a71e1ef448c2e5a5d5476ef1f05d4fc55e0ab9843d177633fb7e5eaaf914

memory/432-732-0x0000000000BA0000-0x0000000000BCA000-memory.dmp

memory/476-733-0x00000000000E0000-0x000000000010A000-memory.dmp

memory/492-734-0x0000000000240000-0x000000000026A000-memory.dmp

memory/596-736-0x0000000000500000-0x000000000052A000-memory.dmp

memory/500-735-0x00000000007F0000-0x000000000081A000-memory.dmp

C:\Windows\System32\wbem\Performance\WmiApRpl.h

MD5 b133a676d139032a27de3d9619e70091
SHA1 1248aa89938a13640252a79113930ede2f26f1fa
SHA256 ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512 c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

C:\Windows\System32\wbem\Performance\WmiApRpl.ini

MD5 46d08e3a55f007c523ac64dce6dcf478
SHA1 62edf88697e98d43f32090a2197bead7e7244245
SHA256 5b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614
SHA512 b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42

C:\Windows\System32\perfc011.dat

MD5 1f998386566e5f9b7f11cc79254d1820
SHA1 e1da5fe1f305099b94de565d06bc6f36c6794481
SHA256 1665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea
SHA512 a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f

C:\Windows\System32\perfh007.dat

MD5 5026297c7c445e7f6f705906a6f57c02
SHA1 4ec3b66d44b0d44ec139bd1475afd100748f9e91
SHA256 506d3bec72805973df3b2e11aba4d074aeb4b26b7335536e79ea1145108817cc
SHA512 5be8e51ecacda465b905df3e38ac114240d8fa6bae5bb17e8e53a87630454b57514ca0abbd8afefd798d450cd4ee89caf4391eeb837ced384260c188482fb48d

C:\Windows\System32\perfc007.dat

MD5 0f3d76321f0a7986b42b25a3aa554f82
SHA1 7036bba62109cc25da5d6a84d22b6edb954987c0
SHA256 dfad62e3372760d303f7337fe290e4cb28e714caadd3c59294b77968d81fe460
SHA512 bb02a3f14d47d233fbda046f61bbf5612ebc6213b156af9c47f56733a03df1bb484d1c3576569eb4499d7b378eb01f4d6e906c36c6f71738482584c2e84b47d0

C:\Windows\System32\perfh009.dat

MD5 1c678ee06bd02b5d9e4d51c3a4ec2d2b
SHA1 90aa7fdfaaa37fb4f2edfc8efc3994871087dedb
SHA256 2d168ab31836a08d8ca00aab9685f040aac4052a7f10fbbf0c28e9f880a79dd3
SHA512 ec665d7a20f27b2a0fe2475883009c6d34615cc2046d096de447ef57bcac9da0ae842be0556f5736f42d9c1c601fb8629896a2444990e508f7c573165088ab32

C:\Windows\System32\perfc00A.dat

MD5 540138285295c68de32a419b7d9de687
SHA1 1cf6a2a0f53f0516ff9fe5ac733dbb5a9255ae56
SHA256 33867c52f756f2b0f645f4bd503c65969d73676dcb14e6a6fdb2ffb11c7562eb
SHA512 7c17c10d4b6165aa0c208811dc6d98e2f4e75e3da1cc2313cc7da9d657626beb3e4ec00b07b71376a7c549725d40db20d8952753e70acc86e87a8390e224a64a

C:\Windows\System32\perfh00A.dat

MD5 340af83514a525c50ffbbf8475ed62b7
SHA1 e2f382ae75afe7df8a323320bbb2aafa1ff6e407
SHA256 fb298e9a90476b4698def395a8ee1974c1cee3959b658662c730da915caea417
SHA512 8236aab579456ef4614ddd5fbfe72d0b0b26617c43a9cd53c3de56d3ac052eee8ca7d70749aaca0692855ecd4fd5f1460ac0b1dd30481dee519b910755c1cc2d

C:\Windows\System32\perfc00C.dat

MD5 831dbe568992299e589143ee8898e131
SHA1 737726173aab8b76fe1f98104d72bb91abd273bf
SHA256 4f22ef1625fb2a2370779d0992f80b8e5e5da8dc727aa99ade152044d28e9405
SHA512 39015d29d593c9df59cdafbff95a6ddc000a5dbf767665b65f8ec65751e70315918c93d3583b922d32e9b6261b8c07023da660098ca79c5420b782c150b5c139

C:\Windows\System32\perfh00C.dat

MD5 5f684ce126de17a7d4433ed2494c5ca9
SHA1 ce1a30a477daa1bac2ec358ce58731429eafe911
SHA256 2e2ba0c47e71991d646ec380cde47f44318d695e6f3f56ec095955a129af1c2c
SHA512 4d0c2669b5002da14d44c21dc2f521fb37b6b41b61bca7b2a9af7c03f616dda9ca825f79a81d3401af626a90017654f9221a6ccc83010ff73de71967fc2f3f5b

C:\Windows\System32\perfh010.dat

MD5 4623482c106cf6cc1bac198f31787b65
SHA1 5abb0decf7b42ef5daf7db012a742311932f6dad
SHA256 eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349
SHA512 afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f

C:\Windows\System32\perfc010.dat

MD5 cf82e7354e591c1408eb2cc0e29dd274
SHA1 7e91bd50c3e6b64b81e2b5c1ce723f52e34748e9
SHA256 59b5e6fbbe68f47db14a3c045b0ac1abb026c626ca4bee708fbd3940e6d2e06d
SHA512 98bd4809c1c418be4100096bc9df328d2ad435c5615c082fa2bfa424935203107015862cd9c1737800b7f7bd020fea4538c325707927c1557bc3efebffb27620

C:\Windows\System32\perfh011.dat

MD5 24da30cbb5f0fe4939862880e72cc32c
SHA1 9132497736f52dae62b79be1677c05e32a7ba2ab
SHA256 a11a4228f8485db2f90466651f6cab07245a8ff5b3448636ab0abc4d618a4a1f
SHA512 332a57e8f0e8d7f82044f90388afd7509768ecb3f657c6be12d1f51ec1c66b8886c30d4b4a42d3a64c3e0d8b76d7cc86a1ac3b92713a68a62c12fdae6a77d6c2