Overview
overview
10Static
static
1036c3-malwa.../1.exe
windows7_x64
1036c3-malwa.../1.exe
windows10-2004_x64
1036c3-malwa...86.exe
windows7_x64
1036c3-malwa...86.exe
windows10-2004_x64
1036c3-malwa...52.dll
windows7_x64
136c3-malwa...52.dll
windows10-2004_x64
636c3-malwa...V2.exe
windows7_x64
1036c3-malwa...V2.exe
windows10-2004_x64
1036c3-malwa....9.exe
windows7_x64
1036c3-malwa....9.exe
windows10-2004_x64
1036c3-malwa...aa.exe
windows7_x64
1036c3-malwa...aa.exe
windows10-2004_x64
1036c3-malwa...ty.exe
windows7_x64
1036c3-malwa...ty.exe
windows10-2004_x64
10Analysis
-
max time kernel
169s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-06-2022 02:44
Static task
static1
Behavioral task
behavioral1
Sample
36c3-malwarexchg-part3/1.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
36c3-malwarexchg-part3/1.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
36c3-malwarexchg-part3/5oaxnx86.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
36c3-malwarexchg-part3/5oaxnx86.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
36c3-malwarexchg-part3/6cb6fda0b353d411a30c5b945e53ea52.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
36c3-malwarexchg-part3/6cb6fda0b353d411a30c5b945e53ea52.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
36c3-malwarexchg-part3/DR_V2.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
36c3-malwarexchg-part3/DR_V2.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
36c3-malwarexchg-part3/GandCrabV5.0.9.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
36c3-malwarexchg-part3/GandCrabV5.0.9.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
Behavioral task
behavioral11
Sample
36c3-malwarexchg-part3/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral12
Sample
36c3-malwarexchg-part3/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
Behavioral task
behavioral13
Sample
36c3-malwarexchg-part3/pinebook-sality.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
36c3-malwarexchg-part3/pinebook-sality.exe
-
Size
97KB
-
MD5
4987bcfb27bbf54852fea8c71f1b952b
-
SHA1
0e4d3c37abca7f9098fe0fbbfba3e325576aa3a5
-
SHA256
37f1b6394a408e0a959b82ff118a526c1362b4ddc1db5da03c9ffa70acaebff4
-
SHA512
9acd9626fd6b4084acdb054ddcee9acda55dbd4fc9f569006a7f6daea6ff71848873fc843f741e3c641b105835049e02a7b71b4f6a74003f9085d06577b4692e
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" pinebook-sality.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" pinebook-sality.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" pinebook-sality.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" pinebook-sality.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pinebook-sality.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pinebook-sality.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pinebook-sality.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pinebook-sality.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pinebook-sality.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" pinebook-sality.exe -
resource yara_rule behavioral14/memory/5024-130-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral14/memory/5024-132-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral14/memory/5024-133-0x00000000007F0000-0x00000000018AA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pinebook-sality.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pinebook-sality.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" pinebook-sality.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc pinebook-sality.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pinebook-sality.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pinebook-sality.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pinebook-sality.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" pinebook-sality.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: pinebook-sality.exe File opened (read-only) \??\R: pinebook-sality.exe File opened (read-only) \??\U: pinebook-sality.exe File opened (read-only) \??\Z: pinebook-sality.exe File opened (read-only) \??\H: pinebook-sality.exe File opened (read-only) \??\K: pinebook-sality.exe File opened (read-only) \??\N: pinebook-sality.exe File opened (read-only) \??\P: pinebook-sality.exe File opened (read-only) \??\V: pinebook-sality.exe File opened (read-only) \??\I: pinebook-sality.exe File opened (read-only) \??\J: pinebook-sality.exe File opened (read-only) \??\O: pinebook-sality.exe File opened (read-only) \??\Q: pinebook-sality.exe File opened (read-only) \??\T: pinebook-sality.exe File opened (read-only) \??\X: pinebook-sality.exe File opened (read-only) \??\Y: pinebook-sality.exe File opened (read-only) \??\E: pinebook-sality.exe File opened (read-only) \??\G: pinebook-sality.exe File opened (read-only) \??\L: pinebook-sality.exe File opened (read-only) \??\M: pinebook-sality.exe File opened (read-only) \??\S: pinebook-sality.exe File opened (read-only) \??\W: pinebook-sality.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf pinebook-sality.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe pinebook-sality.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe pinebook-sality.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe pinebook-sality.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe pinebook-sality.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe pinebook-sality.exe File opened for modification C:\Program Files\7-Zip\7z.exe pinebook-sality.exe File opened for modification C:\Program Files\7-Zip\7zG.exe pinebook-sality.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe pinebook-sality.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe pinebook-sality.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe pinebook-sality.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe pinebook-sality.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e56b710 pinebook-sality.exe File opened for modification C:\Windows\SYSTEM.INI pinebook-sality.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings pinebook-sality.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe 5024 pinebook-sality.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe Token: SeDebugPrivilege 5024 pinebook-sality.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5024 wrote to memory of 808 5024 pinebook-sality.exe 79 PID 5024 wrote to memory of 816 5024 pinebook-sality.exe 78 PID 5024 wrote to memory of 328 5024 pinebook-sality.exe 9 PID 5024 wrote to memory of 2836 5024 pinebook-sality.exe 20 PID 5024 wrote to memory of 2924 5024 pinebook-sality.exe 49 PID 5024 wrote to memory of 3060 5024 pinebook-sality.exe 48 PID 5024 wrote to memory of 3152 5024 pinebook-sality.exe 47 PID 5024 wrote to memory of 3264 5024 pinebook-sality.exe 23 PID 5024 wrote to memory of 3456 5024 pinebook-sality.exe 46 PID 5024 wrote to memory of 3568 5024 pinebook-sality.exe 45 PID 5024 wrote to memory of 3632 5024 pinebook-sality.exe 24 PID 5024 wrote to memory of 3724 5024 pinebook-sality.exe 44 PID 5024 wrote to memory of 3912 5024 pinebook-sality.exe 43 PID 5024 wrote to memory of 4584 5024 pinebook-sality.exe 41 PID 5024 wrote to memory of 808 5024 pinebook-sality.exe 79 PID 5024 wrote to memory of 816 5024 pinebook-sality.exe 78 PID 5024 wrote to memory of 328 5024 pinebook-sality.exe 9 PID 5024 wrote to memory of 2836 5024 pinebook-sality.exe 20 PID 5024 wrote to memory of 2924 5024 pinebook-sality.exe 49 PID 5024 wrote to memory of 3060 5024 pinebook-sality.exe 48 PID 5024 wrote to memory of 3152 5024 pinebook-sality.exe 47 PID 5024 wrote to memory of 3264 5024 pinebook-sality.exe 23 PID 5024 wrote to memory of 3456 5024 pinebook-sality.exe 46 PID 5024 wrote to memory of 3568 5024 pinebook-sality.exe 45 PID 5024 wrote to memory of 3632 5024 pinebook-sality.exe 24 PID 5024 wrote to memory of 3724 5024 pinebook-sality.exe 44 PID 5024 wrote to memory of 3912 5024 pinebook-sality.exe 43 PID 5024 wrote to memory of 4584 5024 pinebook-sality.exe 41 PID 5024 wrote to memory of 808 5024 pinebook-sality.exe 79 PID 5024 wrote to memory of 816 5024 pinebook-sality.exe 78 PID 5024 wrote to memory of 328 5024 pinebook-sality.exe 9 PID 5024 wrote to memory of 2836 5024 pinebook-sality.exe 20 PID 5024 wrote to memory of 2924 5024 pinebook-sality.exe 49 PID 5024 wrote to memory of 3060 5024 pinebook-sality.exe 48 PID 5024 wrote to memory of 3152 5024 pinebook-sality.exe 47 PID 5024 wrote to memory of 3264 5024 pinebook-sality.exe 23 PID 5024 wrote to memory of 3456 5024 pinebook-sality.exe 46 PID 5024 wrote to memory of 3568 5024 pinebook-sality.exe 45 PID 5024 wrote to memory of 3632 5024 pinebook-sality.exe 24 PID 5024 wrote to memory of 3724 5024 pinebook-sality.exe 44 PID 5024 wrote to memory of 3912 5024 pinebook-sality.exe 43 PID 5024 wrote to memory of 4584 5024 pinebook-sality.exe 41 PID 5024 wrote to memory of 808 5024 pinebook-sality.exe 79 PID 5024 wrote to memory of 816 5024 pinebook-sality.exe 78 PID 5024 wrote to memory of 328 5024 pinebook-sality.exe 9 PID 5024 wrote to memory of 2836 5024 pinebook-sality.exe 20 PID 5024 wrote to memory of 2924 5024 pinebook-sality.exe 49 PID 5024 wrote to memory of 3060 5024 pinebook-sality.exe 48 PID 5024 wrote to memory of 3152 5024 pinebook-sality.exe 47 PID 5024 wrote to memory of 3264 5024 pinebook-sality.exe 23 PID 5024 wrote to memory of 3456 5024 pinebook-sality.exe 46 PID 5024 wrote to memory of 3568 5024 pinebook-sality.exe 45 PID 5024 wrote to memory of 3632 5024 pinebook-sality.exe 24 PID 5024 wrote to memory of 3724 5024 pinebook-sality.exe 44 PID 5024 wrote to memory of 3912 5024 pinebook-sality.exe 43 PID 5024 wrote to memory of 4584 5024 pinebook-sality.exe 41 PID 5024 wrote to memory of 808 5024 pinebook-sality.exe 79 PID 5024 wrote to memory of 816 5024 pinebook-sality.exe 78 PID 5024 wrote to memory of 328 5024 pinebook-sality.exe 9 PID 5024 wrote to memory of 2836 5024 pinebook-sality.exe 20 PID 5024 wrote to memory of 2924 5024 pinebook-sality.exe 49 PID 5024 wrote to memory of 3060 5024 pinebook-sality.exe 48 PID 5024 wrote to memory of 3152 5024 pinebook-sality.exe 47 PID 5024 wrote to memory of 3264 5024 pinebook-sality.exe 23 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" pinebook-sality.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:328
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3264
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3632
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4584
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3912
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3724
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3456
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\36c3-malwarexchg-part3\pinebook-sality.exe"C:\Users\Admin\AppData\Local\Temp\36c3-malwarexchg-part3\pinebook-sality.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5024
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2924
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:816
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808