Overview
overview
10Static
static
10arrow/0caa...bd.exe
windows7-x64
10arrow/0caa...bd.exe
windows10-2004-x64
10arrow/150c...0a.exe
windows7-x64
10arrow/150c...0a.exe
windows10-2004-x64
10arrow/17a7...ff.exe
windows7-x64
10arrow/17a7...ff.exe
windows10-2004-x64
10arrow/2380...0c.exe
windows7-x64
10arrow/2380...0c.exe
windows10-2004-x64
10arrow/2fb8...ee.exe
windows7-x64
3arrow/2fb8...ee.exe
windows10-2004-x64
7arrow/3dbd...fb.exe
windows7-x64
10arrow/3dbd...fb.exe
windows10-2004-x64
10arrow/4a09...07.exe
windows7-x64
10arrow/4a09...07.exe
windows10-2004-x64
10arrow/4c4d...a5.exe
windows7-x64
3arrow/4c4d...a5.exe
windows10-2004-x64
7arrow/54a0...24.exe
windows7-x64
10arrow/54a0...24.exe
windows10-2004-x64
10arrow/59a7...8c.exe
windows7-x64
10arrow/59a7...8c.exe
windows10-2004-x64
10arrow/5a45...7c.exe
windows7-x64
10arrow/5a45...7c.exe
windows10-2004-x64
10arrow/5d57...92.exe
windows7-x64
10arrow/5d57...92.exe
windows10-2004-x64
10arrow/6540...5e.exe
windows7-x64
10arrow/6540...5e.exe
windows10-2004-x64
10arrow/8a3d...bc.exe
windows7-x64
10arrow/8a3d...bc.exe
windows10-2004-x64
10arrow/a192...71.exe
windows7-x64
10arrow/a192...71.exe
windows10-2004-x64
7arrow/b20d...3f.exe
windows7-x64
10arrow/b20d...3f.exe
windows10-2004-x64
10Analysis
-
max time kernel
138s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
04-05-2023 12:31
Static task
static1
Behavioral task
behavioral1
Sample
arrow/0caa17db0c1d695ce4e5bc3f3fc7c9c2e7f96e489108e0303b81fa45efcf92bd.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral2
Sample
arrow/0caa17db0c1d695ce4e5bc3f3fc7c9c2e7f96e489108e0303b81fa45efcf92bd.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
arrow/150c06bc4cba9064302fb96f2b3565f433b43847b6d59448ce15b9024e6c9b0a.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral4
Sample
arrow/150c06bc4cba9064302fb96f2b3565f433b43847b6d59448ce15b9024e6c9b0a.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
arrow/17a76858f5bba3812b8f429e261ba0e84baf8197fe1f4478aa6c7adc5d8dd6ff.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral6
Sample
arrow/17a76858f5bba3812b8f429e261ba0e84baf8197fe1f4478aa6c7adc5d8dd6ff.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
arrow/2380ff875da958af3a345764860a8d70761bdc4f9feb20c1b183a83b9cae1b0c.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral8
Sample
arrow/2380ff875da958af3a345764860a8d70761bdc4f9feb20c1b183a83b9cae1b0c.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
arrow/2fb8100d4fb1ee22837aec10889c4b0303434e50944b96a390164e449eb62dee.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral10
Sample
arrow/2fb8100d4fb1ee22837aec10889c4b0303434e50944b96a390164e449eb62dee.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
arrow/3dbd1065734c9b3e603bc2a81dbadb77beeb54c6a918a6a4ae0687659ac3c0fb.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral12
Sample
arrow/3dbd1065734c9b3e603bc2a81dbadb77beeb54c6a918a6a4ae0687659ac3c0fb.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
arrow/4a09a7db3729524b264f61bd57d422714e43167d391eae1df73cad90c2982d07.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral14
Sample
arrow/4a09a7db3729524b264f61bd57d422714e43167d391eae1df73cad90c2982d07.exe
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
arrow/4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral16
Sample
arrow/4c4d844ace41156600bf0c2ab9df287538002abf30d0ba3f50836b2e49f5e0a5.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
arrow/54a0a1cf6b5fb30614ff4a2a7757cadf23fa539b4a352137dfc3292c6ceffa24.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral18
Sample
arrow/54a0a1cf6b5fb30614ff4a2a7757cadf23fa539b4a352137dfc3292c6ceffa24.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
arrow/59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral20
Sample
arrow/59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
arrow/5a45e4a32a4f2081b33dee2ab94eb3ebb4afafe0bd8f5b76e93dfe975c4a607c.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral22
Sample
arrow/5a45e4a32a4f2081b33dee2ab94eb3ebb4afafe0bd8f5b76e93dfe975c4a607c.exe
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
arrow/5d573461fbe87a4441a12b5b61a3b74019aa21a784f9cf4410e1da100a55c792.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral24
Sample
arrow/5d573461fbe87a4441a12b5b61a3b74019aa21a784f9cf4410e1da100a55c792.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
arrow/65403a8b9ecca912ea5cfa91aecdbe77c23e652e4c7465efded126c74711f65e.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral26
Sample
arrow/65403a8b9ecca912ea5cfa91aecdbe77c23e652e4c7465efded126c74711f65e.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
arrow/8a3d555c8d1019b6d42721a2eea770d2101458fd70b208f6767db2eeb1cd44bc.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral28
Sample
arrow/8a3d555c8d1019b6d42721a2eea770d2101458fd70b208f6767db2eeb1cd44bc.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
arrow/a1923ce6f95ba7e57b9d8ea27c1867283cacbc992a0f9e16ec9dd864930d9d71.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral30
Sample
arrow/a1923ce6f95ba7e57b9d8ea27c1867283cacbc992a0f9e16ec9dd864930d9d71.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
arrow/b20df532e15674feb9da8728664caa14c6447f4473f2d64f6052de6af0737b3f.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral32
Sample
arrow/b20df532e15674feb9da8728664caa14c6447f4473f2d64f6052de6af0737b3f.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
General
-
Target
arrow/59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe
-
Size
138KB
-
MD5
bdc72c4851b8543f9f57215f1a3fc336
-
SHA1
b04f8b232040200d68a75400c5e160d0f61387f7
-
SHA256
59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c
-
SHA512
884be565c02616d79feea31aaa2d13926e9fe530ed656a31595d2f295c346867cf4f4c313350b695d3f8b30e56c625995e360e50820bccc605e915ab3cd68599
-
SSDEEP
3072:6bvu5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/Y/:6bvqS7BqjjYHdrqkL/
Malware Config
Extracted
arrowrat
0XU9G7
pandora2425.duckdns.org:2425
JGLG6C
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1532 1148 WerFault.exe 27 -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: 33 1144 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1144 AUDIODG.EXE Token: 33 1144 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1144 AUDIODG.EXE Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe -
Suspicious use of SendNotifyMessage 21 IoCs
pid Process 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 1148 wrote to memory of 2020 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 28 PID 1148 wrote to memory of 2020 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 28 PID 1148 wrote to memory of 2020 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 28 PID 2020 wrote to memory of 864 2020 explorer.exe 29 PID 2020 wrote to memory of 864 2020 explorer.exe 29 PID 2020 wrote to memory of 864 2020 explorer.exe 29 PID 1148 wrote to memory of 676 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 30 PID 1148 wrote to memory of 676 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 30 PID 1148 wrote to memory of 676 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 30 PID 1148 wrote to memory of 676 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 30 PID 1148 wrote to memory of 1420 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 31 PID 1148 wrote to memory of 1420 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 31 PID 1148 wrote to memory of 1420 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 31 PID 1148 wrote to memory of 1420 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 31 PID 1148 wrote to memory of 2024 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 32 PID 1148 wrote to memory of 2024 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 32 PID 1148 wrote to memory of 2024 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 32 PID 1148 wrote to memory of 2024 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 32 PID 1148 wrote to memory of 1704 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 33 PID 1148 wrote to memory of 1704 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 33 PID 1148 wrote to memory of 1704 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 33 PID 1148 wrote to memory of 1704 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 33 PID 1148 wrote to memory of 316 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 34 PID 1148 wrote to memory of 316 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 34 PID 1148 wrote to memory of 316 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 34 PID 1148 wrote to memory of 316 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 34 PID 1148 wrote to memory of 1912 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 35 PID 1148 wrote to memory of 1912 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 35 PID 1148 wrote to memory of 1912 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 35 PID 1148 wrote to memory of 1912 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 35 PID 1148 wrote to memory of 560 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 36 PID 1148 wrote to memory of 560 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 36 PID 1148 wrote to memory of 560 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 36 PID 1148 wrote to memory of 560 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 36 PID 1148 wrote to memory of 1892 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 37 PID 1148 wrote to memory of 1892 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 37 PID 1148 wrote to memory of 1892 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 37 PID 1148 wrote to memory of 1892 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 37 PID 1148 wrote to memory of 768 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 38 PID 1148 wrote to memory of 768 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 38 PID 1148 wrote to memory of 768 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 38 PID 1148 wrote to memory of 768 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 38 PID 1148 wrote to memory of 892 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 39 PID 1148 wrote to memory of 892 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 39 PID 1148 wrote to memory of 892 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 39 PID 1148 wrote to memory of 892 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 39 PID 1148 wrote to memory of 1532 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 41 PID 1148 wrote to memory of 1532 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 41 PID 1148 wrote to memory of 1532 1148 59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe 41 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\arrow\59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe"C:\Users\Admin\AppData\Local\Temp\arrow\59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\system32\ctfmon.exectfmon.exe3⤵PID:864
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C2⤵PID:676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C2⤵PID:1420
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C2⤵PID:2024
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C2⤵PID:1704
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C2⤵PID:316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C2⤵PID:1912
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C2⤵PID:560
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C2⤵PID:1892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C2⤵PID:768
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C2⤵PID:892
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1148 -s 6602⤵
- Program crash
PID:1532
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x54c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144