Malware Analysis Report

2024-10-19 06:17

Sample ID 220322-p7hp9afbb6
Target a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4
SHA256 a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4
Tags
evasion persistence trojan discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4

Threat Level: Known bad

The file a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4 was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan discovery spyware stealer

Process spawned unexpected child process

UAC bypass

Modifies WinLogon for persistence

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Checks whether UAC is enabled

Checks installed software on the system

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

System policy modification

Enumerates system info in registry

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-30 11:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-22 12:58

Reported

2022-03-22 13:00

Platform

win7-20220311-en

Max time kernel

4294180s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\", \"C:\\ProgramData\\Start Menu\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\", \"C:\\ProgramData\\Start Menu\\lsass.exe\", \"C:\\Documents and Settings\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Documents and Settings\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ProgramData\\Start Menu\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Documents\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\ProgramData\\Microsoft Help\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Documents and Settings\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Documents and Settings\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ProgramData\\Favorites\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Documents and Settings\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Documents and Settings\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\RCXCD01.tmp C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\RCXD83E.tmp C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\RCXDE0C.tmp C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File created C:\Program Files (x86)\Windows Mail\de-DE\taskhost.exe C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\de-DE\RCXB85A.tmp C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File created C:\Program Files (x86)\Windows Mail\de-DE\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Idle.exe C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\RCXD8AC.tmp C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Idle.exe C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\RCXDE7B.tmp C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\de-DE\taskhost.exe C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\explorer.exe C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\de-DE\RCXB740.tmp C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\RCXCC93.tmp C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\explorer.exe C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Token: SeDebugPrivilege N/A C:\Documents and Settings\services.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

"C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "CcI7taskhost" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "vSrdtaskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "8vB3taskhost" /sc ONSTART /tr "'C:\Program Files (x86)\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Tp83services" /sc MINUTE /mo 11 /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "hb0Uservices" /sc ONLOGON /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Dwocservices" /sc ONSTART /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc MINUTE /mo 8 /tr "'C:\Documents and Settings\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "yfRncsrss" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Documents\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "oQtLcsrss" /sc ONLOGON /tr "'C:\ProgramData\Documents\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1iVCcsrss" /sc ONSTART /tr "'C:\ProgramData\Documents\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc MINUTE /mo 9 /tr "'C:\ProgramData\Documents\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "tGyJtaskhost" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SS0gtaskhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "336mtaskhost" /sc ONSTART /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9V32lsass" /sc MINUTE /mo 14 /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "By5Plsass" /sc ONLOGON /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "h2t8lsass" /sc ONSTART /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DOP4lsm" /sc MINUTE /mo 9 /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "L8Gllsm" /sc ONLOGON /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "zMRVlsm" /sc ONSTART /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc MINUTE /mo 13 /tr "'C:\Documents and Settings\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "8NRTIdle" /sc MINUTE /mo 6 /tr "'C:\Documents and Settings\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BouGIdle" /sc ONLOGON /tr "'C:\Documents and Settings\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "87eEIdle" /sc ONSTART /tr "'C:\Documents and Settings\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc MINUTE /mo 7 /tr "'C:\Documents and Settings\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "m5Wjexplorer" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "XOEZexplorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7sjcexplorer" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1Luitaskhost" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Adobe\Updater6\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wKk3taskhost" /sc ONLOGON /tr "'C:\ProgramData\Adobe\Updater6\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "D7gftaskhost" /sc ONSTART /tr "'C:\ProgramData\Adobe\Updater6\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc MINUTE /mo 7 /tr "'C:\ProgramData\Adobe\Updater6\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "4OXzlsass" /sc MINUTE /mo 11 /tr "'C:\ProgramData\Favorites\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MxwBlsass" /sc ONLOGON /tr "'C:\ProgramData\Favorites\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "kcVrlsass" /sc ONSTART /tr "'C:\ProgramData\Favorites\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc MINUTE /mo 6 /tr "'C:\ProgramData\Favorites\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "q6tplsm" /sc MINUTE /mo 11 /tr "'C:\ProgramData\Microsoft Help\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bHm5lsm" /sc ONLOGON /tr "'C:\ProgramData\Microsoft Help\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Q9Zdlsm" /sc ONSTART /tr "'C:\ProgramData\Microsoft Help\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc MINUTE /mo 14 /tr "'C:\ProgramData\Microsoft Help\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "41quIdle" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "tpOXIdle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "uZEhIdle" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "nZTTexplorer" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "zlHMexplorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WGShexplorer" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fTm4csrss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "8kjdcsrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "QCCgcsrss" /sc ONSTART /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "btFqwinlogon" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\Sample Videos\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "p6QVwinlogon" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1yZVwinlogon" /sc ONSTART /tr "'C:\Users\Public\Videos\Sample Videos\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RsURlsass" /sc MINUTE /mo 12 /tr "'C:\ProgramData\Start Menu\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "krbAlsass" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "rkJOlsass" /sc ONSTART /tr "'C:\ProgramData\Start Menu\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Start Menu\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "hX9tsmss" /sc MINUTE /mo 10 /tr "'C:\Documents and Settings\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Bem0smss" /sc ONLOGON /tr "'C:\Documents and Settings\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "zZfTsmss" /sc ONSTART /tr "'C:\Documents and Settings\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc MINUTE /mo 9 /tr "'C:\Documents and Settings\smss.exe'" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'

C:\Documents and Settings\services.exe

"C:\Documents and Settings\services.exe"

Network

N/A

Files

memory/2040-54-0x0000000000BF0000-0x0000000000DB8000-memory.dmp

memory/2040-55-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

memory/2040-56-0x000000001B0F0000-0x000000001B0F2000-memory.dmp

memory/2040-57-0x0000000000580000-0x000000000059C000-memory.dmp

memory/2040-58-0x0000000000150000-0x0000000000158000-memory.dmp

memory/2040-59-0x00000000001E0000-0x00000000001F0000-memory.dmp

memory/2040-60-0x00000000003F0000-0x0000000000400000-memory.dmp

memory/2040-61-0x00000000005A0000-0x00000000005B2000-memory.dmp

memory/2040-62-0x00000000005C0000-0x00000000005D0000-memory.dmp

memory/2040-63-0x00000000005B0000-0x00000000005BA000-memory.dmp

memory/2040-64-0x00000000005D0000-0x00000000005DC000-memory.dmp

memory/2040-65-0x0000000000B00000-0x0000000000B08000-memory.dmp

memory/2040-66-0x0000000000B20000-0x0000000000B28000-memory.dmp

memory/2040-67-0x0000000000B10000-0x0000000000B1C000-memory.dmp

memory/2040-68-0x0000000000B30000-0x0000000000B38000-memory.dmp

memory/2040-69-0x0000000000B40000-0x0000000000B4C000-memory.dmp

memory/2040-70-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

memory/2040-71-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

memory/2040-72-0x00000000022D0000-0x00000000022D8000-memory.dmp

memory/2040-73-0x00000000022E0000-0x00000000022EC000-memory.dmp

memory/2040-74-0x00000000022F0000-0x00000000022FC000-memory.dmp

memory/2040-75-0x0000000002300000-0x000000000230A000-memory.dmp

memory/2040-76-0x000000001A790000-0x000000001A79C000-memory.dmp

memory/2908-77-0x000007FEFB9D1000-0x000007FEFB9D3000-memory.dmp

C:\Documents and Settings\services.exe

MD5 07058fd5f1fc2c4176fed9696b6f724c
SHA1 29811a4adb11d1a93cdf468428de1e20a3fd9bec
SHA256 bbfe5c224fd63d8a04f3a832916042244f91b63c9760860e7fa21e2f577b3faf
SHA512 fe4e5013b615e1428b3e549b303bcd5af465b388aebf75769036d9eba7a5568cf587538e753a74ea619ccd12d68d768dcdd0cd742757ac0f301e3e54be3ce997

C:\Users\services.exe

MD5 07058fd5f1fc2c4176fed9696b6f724c
SHA1 29811a4adb11d1a93cdf468428de1e20a3fd9bec
SHA256 bbfe5c224fd63d8a04f3a832916042244f91b63c9760860e7fa21e2f577b3faf
SHA512 fe4e5013b615e1428b3e549b303bcd5af465b388aebf75769036d9eba7a5568cf587538e753a74ea619ccd12d68d768dcdd0cd742757ac0f301e3e54be3ce997

memory/2984-81-0x0000000000C00000-0x0000000000DC8000-memory.dmp

memory/2908-78-0x000007FEEADD0000-0x000007FEEB92D000-memory.dmp

memory/2908-83-0x000007FEED240000-0x000007FEEDBDD000-memory.dmp

memory/2984-84-0x000000001B130000-0x000000001B132000-memory.dmp

memory/2908-85-0x0000000002770000-0x0000000002772000-memory.dmp

memory/2908-86-0x000007FEED240000-0x000007FEEDBDD000-memory.dmp

memory/2908-87-0x0000000002772000-0x0000000002774000-memory.dmp

memory/2908-88-0x0000000002774000-0x0000000002777000-memory.dmp

memory/2984-89-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

memory/2908-82-0x000000001B800000-0x000000001BAFF000-memory.dmp

memory/2908-90-0x000000000277B000-0x000000000279A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-22 12:58

Reported

2022-03-22 13:00

Platform

win10v2004-en-20220113

Max time kernel

154s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\taskhostw.exe\", \"C:\\Windows\\ShellExperiences\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\ShellExperiences\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\672b8129-ec62-44c0-9b64-4f082358c227.tmp C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220322125851.pma C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ShellExperiences\dllhost.exe C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File created C:\Windows\ShellExperiences\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File opened for modification C:\Windows\ShellExperiences\RCX6989.tmp C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File opened for modification C:\Windows\ShellExperiences\RCX6A17.tmp C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
File opened for modification C:\Windows\ShellExperiences\dllhost.exe C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1388 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1388 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe
PID 1388 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe
PID 3500 wrote to memory of 3396 N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3500 wrote to memory of 3396 N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3500 wrote to memory of 3096 N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3500 wrote to memory of 3096 N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3500 wrote to memory of 3616 N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3500 wrote to memory of 3616 N/A C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 5100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 5100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 4780 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 4780 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 2624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 2624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 2624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 2624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 2624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 2624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 2624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 2624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 2624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 2624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

"C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "oTaWtaskhostw" /sc MINUTE /mo 6 /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "oSo4taskhostw" /sc ONLOGON /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7Jlztaskhostw" /sc ONSTART /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ukHWdllhost" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellExperiences\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "3N7Ddllhost" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "g0uAdllhost" /sc ONSTART /tr "'C:\Windows\ShellExperiences\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellExperiences\dllhost.exe'" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'

C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe

"C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c6b56dd-a821-4b3c-80f3-81b03e3b6500.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66e57812-7e61-4923-94fa-07f7dc0b5063.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:13131/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe83a646f8,0x7ffe83a64708,0x7ffe83a64718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,4199096172109590218,17418991841028549474,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,4199096172109590218,17418991841028549474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,4199096172109590218,17418991841028549474,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4199096172109590218,17418991841028549474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4199096172109590218,17418991841028549474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,4199096172109590218,17418991841028549474,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5252 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4199096172109590218,17418991841028549474,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4199096172109590218,17418991841028549474,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,4199096172109590218,17418991841028549474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3896 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7ac955460,0x7ff7ac955470,0x7ff7ac955480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,4199096172109590218,17418991841028549474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3896 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4199096172109590218,17418991841028549474,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4199096172109590218,17418991841028549474,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4199096172109590218,17418991841028549474,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4199096172109590218,17418991841028549474,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,4199096172109590218,17418991841028549474,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6040 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,4199096172109590218,17418991841028549474,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4436 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,4199096172109590218,17418991841028549474,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3492 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,4199096172109590218,17418991841028549474,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4199096172109590218,17418991841028549474,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2836 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,4199096172109590218,17418991841028549474,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6288 /prefetch:2

Network

Country Destination Domain Proto
RU 45.142.122.12:80 45.142.122.12 tcp
RU 45.142.122.12:80 45.142.122.12 tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
NL 20.73.128.142:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 smartscreen-prod.microsoft.com udp
IE 20.82.250.189:443 smartscreen-prod.microsoft.com tcp
IE 20.82.250.189:443 smartscreen-prod.microsoft.com tcp
IE 20.82.250.189:443 smartscreen-prod.microsoft.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
NL 20.73.128.142:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 www.bing.com udp
US 204.79.197.200:443 www.bing.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google udp
US 204.79.197.219:443 tcp
US 8.8.4.4:443 dns.google udp
US 204.79.197.203:443 tcp
N/A 224.0.0.251:5353 udp
NL 23.73.0.161:443 tcp
NL 23.73.0.161:443 tcp
NL 23.73.0.161:443 tcp
US 204.79.197.203:443 tcp
US 8.8.8.8:53 dns.google udp
NL 20.73.128.142:443 nav.smartscreen.microsoft.com tcp
US 204.79.197.200:443 www.bing.com tcp
NL 23.202.229.49:443 tcp
IE 52.142.114.2:443 tcp
NL 52.222.137.105:443 tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 204.79.197.219:443 tcp
US 131.253.33.203:443 tcp
NL 104.109.143.4:443 tcp
NL 20.73.128.142:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
NL 20.73.130.64:443 nav.smartscreen.microsoft.com tcp
US 204.79.197.219:443 tcp
US 8.8.8.8:53 dns.google udp
US 152.199.19.161:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google udp
US 204.79.197.219:443 tcp
US 8.8.8.8:53 dns.google udp
RU 45.142.122.12:80 45.142.122.12 tcp
US 8.8.8.8:53 dns.google udp
NL 20.73.128.142:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 dns.google udp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp
N/A 127.0.0.1:13131 tcp

Files

memory/1388-130-0x00000000006B0000-0x0000000000878000-memory.dmp

memory/1388-131-0x00007FFE89630000-0x00007FFE8A0F1000-memory.dmp

memory/1388-132-0x0000000001B70000-0x0000000001B72000-memory.dmp

memory/1388-133-0x00000000015B0000-0x0000000001600000-memory.dmp

memory/4820-134-0x000001C71A810000-0x000001C71A832000-memory.dmp

memory/4820-135-0x00007FFE89630000-0x00007FFE8A0F1000-memory.dmp

memory/4820-136-0x000001C71A800000-0x000001C71A802000-memory.dmp

C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe

MD5 0085651602cc7042cecabd986ca68ff2
SHA1 8f024e1f4711137cd8ffae27bef48429d07dcf66
SHA256 2ac77d4be0a6703cdc114c13adb54734107a4d11078508503543d5e850568568
SHA512 ddfedd3eb896dd6ee9b195bb0c85525cb929fceadecd904d9319afb25f8d0e7450400eb46d32f38af71fed4249297077dfe4c0f77c8296dea9d3ba9f433831b1

C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\taskhostw.exe

MD5 0085651602cc7042cecabd986ca68ff2
SHA1 8f024e1f4711137cd8ffae27bef48429d07dcf66
SHA256 2ac77d4be0a6703cdc114c13adb54734107a4d11078508503543d5e850568568
SHA512 ddfedd3eb896dd6ee9b195bb0c85525cb929fceadecd904d9319afb25f8d0e7450400eb46d32f38af71fed4249297077dfe4c0f77c8296dea9d3ba9f433831b1

memory/3500-139-0x00000000002F0000-0x00000000004B8000-memory.dmp

memory/3500-140-0x00007FFE89630000-0x00007FFE8A0F1000-memory.dmp

memory/3500-141-0x000000001B190000-0x000000001B192000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5c6b56dd-a821-4b3c-80f3-81b03e3b6500.vbs

MD5 fb7cc75a11a9bb8a37943b107bc724a3
SHA1 088d78392941a54d5edd8a08e665b93d3b78f945
SHA256 fcea0c4ed97b2cc262bc6e5eddaabbabf225c907bbbd5e752dd13153ca3a3ce1
SHA512 99625df82860f41b8a6f3dc1d2a20187a203e92acb7cfab5bae05fd6eea28cd193ba9bfda098eed1b009dfb0032663b23ea9cfd4bd1f6a7244b35263069a6f23

C:\Users\Admin\AppData\Local\Temp\66e57812-7e61-4923-94fa-07f7dc0b5063.vbs

MD5 cba563498f66a641db43437bad3db315
SHA1 67dfecfe58768e9ae93912ed2be4ed60b73edfed
SHA256 9522bb088e7f5e49a20a57969b007859daa4a34fd18aa7ad391ff4ddc7a2da27
SHA512 3a9acdff6b388643df1eaf9deadfccef724b577b0463f49517f1c79523c3c7214aea283eca4172849a8978e3271d67a7a2293e692682255fa589170160d500c1

memory/3500-144-0x000000001E1C0000-0x000000001E382000-memory.dmp

memory/3500-146-0x000000001B195000-0x000000001B197000-memory.dmp

memory/3500-145-0x000000001B193000-0x000000001B195000-memory.dmp

memory/3336-148-0x00007FFEA8400000-0x00007FFEA8401000-memory.dmp

\??\pipe\LOCAL\crashpad_3616_EKWJWHIGPEXAEPVW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3500-156-0x000000001FEC0000-0x00000000203E8000-memory.dmp