Malware Analysis Report

2024-11-16 13:17

Sample ID 240518-3f9ljsdh5t
Target 870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf
SHA256 870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf
Tags
sality backdoor evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf

Threat Level: Known bad

The file 870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion persistence trojan upx

UAC bypass

Modifies firewall policy service

Sality

Windows security bypass

Modifies visibility of file extensions in Explorer

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Executes dropped EXE

Deletes itself

Loads dropped DLL

Windows security modification

Modifies system executable filetype association

UPX packed file

Adds Run key to start application

Enumerates connected drives

Checks whether UAC is enabled

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of SetWindowsHookEx

System policy modification

Runs .reg file with regedit

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 23:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 23:28

Reported

2024-05-18 23:31

Platform

win7-20240508-en

Max time kernel

22s

Max time network

17s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\scvhost.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\regedit.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\regedit.exe N/A

Disables Task Manager via registry modification

evasion

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\scvhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\scvhost.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\regedit.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Windows\SysWOW64\scvhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FolderRaper = "C:\\Windows\\SysWOW64\\scvhost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FolderRaper = "C:\\Windows\\SysWOW64\\scvhost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FolderRaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FolderRaper = "C:\\Windows\\SysWOW64\\scvhost.exe" C:\Windows\SysWOW64\regedit.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\scvhost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\SysWOW64\scvhost.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\scvhost.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\scvhost.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\scvhost.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\scvhost.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\scvhost.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\c:\Autorun.inf C:\Windows\SysWOW64\scvhost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\scvhost.exe C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
File opened for modification C:\Windows\SysWOW64\scvhost.exe C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
File opened for modification C:\Windows\SysWOW64\Funny!.reg C:\Windows\SysWOW64\scvhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Windows\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\scvhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
N/A N/A C:\Windows\SysWOW64\scvhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\explorer.exe
PID 1904 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\explorer.exe
PID 1904 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\explorer.exe
PID 1904 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\explorer.exe
PID 1904 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\system32\taskhost.exe
PID 1904 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\system32\Dwm.exe
PID 1904 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\Explorer.EXE
PID 1904 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\system32\DllHost.exe
PID 1904 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\explorer.exe
PID 1904 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\explorer.exe
PID 1904 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\regedit.exe
PID 1904 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\regedit.exe
PID 1904 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\regedit.exe
PID 1904 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\regedit.exe
PID 1904 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\scvhost.exe
PID 1904 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\scvhost.exe
PID 1904 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\scvhost.exe
PID 1904 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\scvhost.exe
PID 2916 wrote to memory of 1328 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe
PID 2916 wrote to memory of 1328 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe
PID 2916 wrote to memory of 1328 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe
PID 2916 wrote to memory of 1328 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe
PID 2916 wrote to memory of 1040 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\system32\taskhost.exe
PID 2916 wrote to memory of 1148 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\system32\Dwm.exe
PID 2916 wrote to memory of 1192 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\Explorer.EXE
PID 2916 wrote to memory of 2128 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\explorer.exe
PID 2916 wrote to memory of 2552 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe
PID 2916 wrote to memory of 2552 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe
PID 2916 wrote to memory of 2552 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe
PID 2916 wrote to memory of 2552 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe
PID 2916 wrote to memory of 1040 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\system32\taskhost.exe
PID 2916 wrote to memory of 1148 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\system32\Dwm.exe
PID 2916 wrote to memory of 1192 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\Explorer.EXE
PID 2916 wrote to memory of 2128 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\explorer.exe
PID 2916 wrote to memory of 1068 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe
PID 2916 wrote to memory of 1068 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe
PID 2916 wrote to memory of 1068 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe
PID 2916 wrote to memory of 1068 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\scvhost.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe

"C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe"

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Users\Admin\AppData\Local\Temp\Funny!.reg

C:\Windows\SysWOW64\scvhost.exe

C:\Windows\System32\scvhost.exe

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

Network

N/A

Files

memory/1904-0-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1904-4-0x0000000002620000-0x00000000036AE000-memory.dmp

memory/1904-6-0x0000000002620000-0x00000000036AE000-memory.dmp

memory/1904-8-0x0000000002620000-0x00000000036AE000-memory.dmp

memory/1904-9-0x0000000002620000-0x00000000036AE000-memory.dmp

memory/1904-31-0x0000000002620000-0x00000000036AE000-memory.dmp

memory/1904-34-0x0000000002620000-0x00000000036AE000-memory.dmp

memory/1904-35-0x0000000002620000-0x00000000036AE000-memory.dmp

memory/1904-26-0x0000000002620000-0x00000000036AE000-memory.dmp

memory/2748-33-0x00000000002F0000-0x00000000002F2000-memory.dmp

memory/1904-32-0x00000000004B0000-0x00000000004B2000-memory.dmp

memory/2748-30-0x00000000002F0000-0x00000000002F2000-memory.dmp

memory/1904-29-0x00000000004B0000-0x00000000004B2000-memory.dmp

memory/2748-28-0x0000000000340000-0x0000000000341000-memory.dmp

memory/1904-27-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/1904-18-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/1904-17-0x00000000004B0000-0x00000000004B2000-memory.dmp

memory/1040-10-0x00000000021B0000-0x00000000021B2000-memory.dmp

memory/1904-7-0x0000000002620000-0x00000000036AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Funny!.reg

MD5 ca7cc4fbc1b64aca44aa87e06bdfb37c
SHA1 bf7b81080a8268a0370cada6f9123de4583be83a
SHA256 cd1763b9cf7b6064f2627f6f44fe057b339de6388475e97ecfa3e3423386b840
SHA512 6c20ea4830c6732a1a2c84dd070f9ac90ae394c1dc891310fe615bc1991b99ff47c95d142d6e88fbc0ea84eea1842624cfbf9fc20144785cbe445c15826f0437

C:\Windows\SysWOW64\scvhost.exe

MD5 93bf1a918b8ea7bfd4d53f7f54de6282
SHA1 b8aea380163f1a82bee3b41d1042261c06f70e04
SHA256 870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf
SHA512 ecfae311b2782766deabba0828e962e3211b2b355797a23568f51b500af0365f488afd2a69a0b915dd03129551bc527c047d183286cb337fdcffa9d0d8996066

memory/2916-52-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1904-51-0x00000000058B0000-0x00000000058CE000-memory.dmp

memory/1904-50-0x00000000058B0000-0x00000000058CE000-memory.dmp

memory/2748-41-0x00000000002F0000-0x00000000002F2000-memory.dmp

memory/2128-58-0x0000000003AE0000-0x0000000003AF0000-memory.dmp

memory/1904-56-0x0000000002620000-0x00000000036AE000-memory.dmp

memory/1904-55-0x0000000002620000-0x00000000036AE000-memory.dmp

memory/1904-73-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Windows\SysWOW64\Funny!.reg

MD5 3d12304930d03f2cbbc4b7fc6fbe4994
SHA1 3270ce4fc3f7be8f318d5d88abbe04f412efb259
SHA256 c9c584407078a606b868fcbf5ccdf2648724969f6c79b882f15ec0a8773ec826
SHA512 d1014cafffe5f509986b9c0769563648d13db32b2a6247dda5beb5cadc8a11589c643c96da2ff6f8801a8581e0c5e8ee3550ad810af4d3658fe95a42efd6dabb

memory/1904-74-0x0000000002620000-0x00000000036AE000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 2541422c2df73d3294e1887654b3d5c6
SHA1 3fb207821b55c3e60c9b367af848ceddc5eb5dfe
SHA256 e7a365827332c4a8845e7215924e6dc03c83407bb178d397ac72962b059ad033
SHA512 384d9cd07ffe3e09a222240818dc87b31a637c601f552d8c45943fdcedda0f308de1d3000d6d3ef4e89503344f0dde6af07de35f5c001188e3c9dacf0a931eba

memory/2916-94-0x0000000003A10000-0x0000000004A9E000-memory.dmp

memory/2916-91-0x0000000003A10000-0x0000000004A9E000-memory.dmp

memory/2916-93-0x0000000003A10000-0x0000000004A9E000-memory.dmp

memory/2916-110-0x00000000004C0000-0x00000000004C1000-memory.dmp

memory/2916-96-0x0000000003A10000-0x0000000004A9E000-memory.dmp

C:\yyvue.pif

MD5 818c3dd912f5417e6fcd61372c83013f
SHA1 2ef4c94a3f7404ba7a5d80b337af8952ac782003
SHA256 440a873cb9aa5d0080e3b5be89b546b0ceab270e314743235efae52ad5a5d0c7
SHA512 0af897468bbef87eaa5f89fa0b527d4b654abc98104d758d3ccd8edb90ae5dec2f124253122c0dee93efedf45c3b7703d0cc346cdab7932dc870cbd118afb90f

C:\autorun.inf

MD5 45ba818e996f339032a55885dcc84e33
SHA1 4af8a3e2594637f916e2967378b8d618fd7cd90a
SHA256 71a17ebeb1257b5f9d9e4d7b9dfd2a9385873b6d70795ecd30f1d60cb01401ea
SHA512 958f3368481e75866beba49ae4efb403daa8fe5aa77c2e30122807b1db676f2c7c8624f2bb74316e6c36d4185edd994fadb99072a4c2c041845f5b88561fb8e0

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 23:28

Reported

2024-05-18 23:31

Platform

win10v2004-20240426-en

Max time kernel

19s

Max time network

135s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\regedit.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\scvhost.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\regedit.exe N/A

Disables Task Manager via registry modification

evasion

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\scvhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\scvhost.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\regedit.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\scvhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Windows\SysWOW64\scvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FolderRaper = "C:\\Windows\\SysWOW64\\scvhost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FolderRaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FolderRaper = "C:\\Windows\\SysWOW64\\scvhost.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FolderRaper = "C:\\Windows\\SysWOW64\\scvhost.exe" C:\Windows\SysWOW64\regedit.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\scvhost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\SysWOW64\scvhost.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\scvhost.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\scvhost.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\scvhost.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\c:\Autorun.inf C:\Windows\SysWOW64\scvhost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\scvhost.exe C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
File opened for modification C:\Windows\SysWOW64\scvhost.exe C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
File opened for modification C:\Windows\SysWOW64\Funny!.reg C:\Windows\SysWOW64\scvhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Windows\SysWOW64\regedit.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\system32\fontdrvhost.exe
PID 1956 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\system32\fontdrvhost.exe
PID 1956 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\system32\dwm.exe
PID 1956 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\system32\sihost.exe
PID 1956 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\system32\svchost.exe
PID 1956 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\system32\taskhostw.exe
PID 1956 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\Explorer.EXE
PID 1956 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\system32\svchost.exe
PID 1956 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\system32\DllHost.exe
PID 1956 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1956 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\System32\RuntimeBroker.exe
PID 1956 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1956 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\System32\RuntimeBroker.exe
PID 1956 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\System32\RuntimeBroker.exe
PID 1956 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1956 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\System32\RuntimeBroker.exe
PID 1956 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1956 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1956 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\explorer.exe
PID 1956 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\explorer.exe
PID 1956 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\explorer.exe
PID 1956 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\regedit.exe
PID 1956 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\regedit.exe
PID 1956 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\regedit.exe
PID 1956 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\scvhost.exe
PID 1956 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\scvhost.exe
PID 1956 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe C:\Windows\SysWOW64\scvhost.exe
PID 2040 wrote to memory of 3944 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe
PID 2040 wrote to memory of 3944 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe
PID 2040 wrote to memory of 3944 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe
PID 2040 wrote to memory of 780 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\system32\fontdrvhost.exe
PID 2040 wrote to memory of 784 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\system32\fontdrvhost.exe
PID 2040 wrote to memory of 336 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\system32\dwm.exe
PID 2040 wrote to memory of 2604 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\system32\sihost.exe
PID 2040 wrote to memory of 2636 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\system32\svchost.exe
PID 2040 wrote to memory of 2880 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\system32\taskhostw.exe
PID 2040 wrote to memory of 3424 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\Explorer.EXE
PID 2040 wrote to memory of 3536 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\system32\svchost.exe
PID 2040 wrote to memory of 3728 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\system32\DllHost.exe
PID 2040 wrote to memory of 3824 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2040 wrote to memory of 3892 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\System32\RuntimeBroker.exe
PID 2040 wrote to memory of 3976 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2040 wrote to memory of 2932 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\System32\RuntimeBroker.exe
PID 2040 wrote to memory of 4664 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\System32\RuntimeBroker.exe
PID 2040 wrote to memory of 2240 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2040 wrote to memory of 5028 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\System32\RuntimeBroker.exe
PID 2040 wrote to memory of 4932 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2040 wrote to memory of 3884 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\explorer.exe
PID 2040 wrote to memory of 4888 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\System32\RuntimeBroker.exe
PID 2040 wrote to memory of 4464 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe
PID 2040 wrote to memory of 4464 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe
PID 2040 wrote to memory of 4464 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe
PID 2040 wrote to memory of 2424 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe
PID 2040 wrote to memory of 2424 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe
PID 2040 wrote to memory of 2424 N/A C:\Windows\SysWOW64\scvhost.exe C:\Windows\SysWOW64\regedit.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\scvhost.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe

"C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe"

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Users\Admin\AppData\Local\Temp\Funny!.reg

C:\Windows\SysWOW64\scvhost.exe

C:\Windows\System32\scvhost.exe

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

C:\Windows\SysWOW64\regedit.exe

regedit /s C:\Windows\SysWOW64\Funny!.reg

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1956-0-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1956-1-0x00000000029C0000-0x0000000003A4E000-memory.dmp

memory/1956-4-0x00000000029C0000-0x0000000003A4E000-memory.dmp

memory/1956-8-0x00000000029C0000-0x0000000003A4E000-memory.dmp

memory/1956-6-0x00000000004C0000-0x00000000004C2000-memory.dmp

memory/1956-7-0x0000000002040000-0x0000000002041000-memory.dmp

memory/1956-13-0x00000000004C0000-0x00000000004C2000-memory.dmp

memory/1956-14-0x00000000004C0000-0x00000000004C2000-memory.dmp

memory/1956-11-0x00000000029C0000-0x0000000003A4E000-memory.dmp

memory/1956-5-0x00000000029C0000-0x0000000003A4E000-memory.dmp

memory/1956-9-0x00000000029C0000-0x0000000003A4E000-memory.dmp

memory/1956-15-0x00000000029C0000-0x0000000003A4E000-memory.dmp

memory/1956-16-0x00000000029C0000-0x0000000003A4E000-memory.dmp

memory/1956-17-0x00000000029C0000-0x0000000003A4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Funny!.reg

MD5 ca7cc4fbc1b64aca44aa87e06bdfb37c
SHA1 bf7b81080a8268a0370cada6f9123de4583be83a
SHA256 cd1763b9cf7b6064f2627f6f44fe057b339de6388475e97ecfa3e3423386b840
SHA512 6c20ea4830c6732a1a2c84dd070f9ac90ae394c1dc891310fe615bc1991b99ff47c95d142d6e88fbc0ea84eea1842624cfbf9fc20144785cbe445c15826f0437

C:\Windows\SysWOW64\scvhost.exe

MD5 93bf1a918b8ea7bfd4d53f7f54de6282
SHA1 b8aea380163f1a82bee3b41d1042261c06f70e04
SHA256 870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf
SHA512 ecfae311b2782766deabba0828e962e3211b2b355797a23568f51b500af0365f488afd2a69a0b915dd03129551bc527c047d183286cb337fdcffa9d0d8996066

memory/2040-25-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Windows\SysWOW64\Funny!.reg

MD5 3d12304930d03f2cbbc4b7fc6fbe4994
SHA1 3270ce4fc3f7be8f318d5d88abbe04f412efb259
SHA256 c9c584407078a606b868fcbf5ccdf2648724969f6c79b882f15ec0a8773ec826
SHA512 d1014cafffe5f509986b9c0769563648d13db32b2a6247dda5beb5cadc8a11589c643c96da2ff6f8801a8581e0c5e8ee3550ad810af4d3658fe95a42efd6dabb

memory/1956-32-0x00000000029C0000-0x0000000003A4E000-memory.dmp

memory/1956-41-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2040-62-0x0000000003220000-0x00000000042AE000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 ae88d414c556e52d6bf60ca30b3af233
SHA1 2f1764c228ad575a9935955ceabe5c1bc1b78052
SHA256 db1e0ccb82ffa18b4972dcbe705d9e206758a4d6e31e6c3cc38019f3b44f3214
SHA512 62a3bd53cf678f3c93e49bd134d74dc731883f238e9408a2cdcb4ea530b6ea7058d42cc14cd99642e4451f973096a064f03dfc880348c6eba522f8bba1bd17b2

memory/2040-65-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-66-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-71-0x0000000002240000-0x0000000002242000-memory.dmp

memory/2040-64-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-68-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

memory/2040-70-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-72-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-69-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-74-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-73-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-80-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-81-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-82-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-88-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-89-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-98-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-102-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-108-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-109-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-118-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-130-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-131-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-142-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-143-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-161-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-160-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-163-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-172-0x0000000003220000-0x00000000042AE000-memory.dmp

memory/2040-180-0x0000000003220000-0x00000000042AE000-memory.dmp

C:\mdldp.pif

MD5 81423315cb3b362cdb86bc18501be804
SHA1 4992fc0e7afb24e15fcb180683f97812da81fd1c
SHA256 e7cdd5d5de75dbd5d1c828c5f2463a1425da7b1cc08347d1aca50b6375471c87
SHA512 8d9a25e25ea61ba85d6c1b9fe29e34df9749c033aa8d1b856c24eafb03708aae172aa8443fb87fe84cfe27c0dbf4f0926d9a7cf94fcd7c24a25acaf79bf101dc

C:\autorun.inf

MD5 6bc3d11bd81af37b5af86c9e307526f1
SHA1 e94c73160d3917a7a162c5a9eda2cdd3c751feeb
SHA256 d4acf93d0dec8bdebbd6ecc0ca20159bbc8018a176a40292b857d4fac3f80fb2
SHA512 0cd9c4704bcb8e6ac3a0844832ae1cec6664cc65fff73839517ed8e758336109d0525221a6e823fea30fa154620ef4a67276a28f8392af4354e9c765f9af2c6d