Malware Analysis Report

2024-09-11 12:57

Sample ID 240610-x8lgjayanj
Target f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957
SHA256 f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957
Tags
sality backdoor evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957

Threat Level: Known bad

The file f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion persistence trojan upx

Modifies firewall policy service

Sality

UAC bypass

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

Modifies Installed Components in the registry

Loads dropped DLL

Windows security modification

UPX packed file

Executes dropped EXE

Deletes itself

Checks whether UAC is enabled

Enumerates connected drives

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-10 19:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 19:31

Reported

2024-06-10 19:34

Platform

win7-20240220-en

Max time kernel

26s

Max time network

122s

Command Line

"taskhost.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\windows\system\explorer.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" \??\c:\windows\system\explorer.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\windows\system\explorer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: \??\c:\windows\system\explorer.exe N/A
File opened (read-only) \??\G: \??\c:\windows\system\explorer.exe N/A
File opened (read-only) \??\H: \??\c:\windows\system\explorer.exe N/A
File opened (read-only) \??\I: \??\c:\windows\system\explorer.exe N/A
File opened (read-only) \??\J: \??\c:\windows\system\explorer.exe N/A
File opened (read-only) \??\K: \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe C:\Windows\system32\taskhost.exe
PID 2916 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe C:\Windows\system32\Dwm.exe
PID 2916 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe C:\Windows\Explorer.EXE
PID 2916 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe C:\Windows\system32\DllHost.exe
PID 2916 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe \??\c:\windows\system\explorer.exe
PID 2916 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe \??\c:\windows\system\explorer.exe
PID 2916 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe \??\c:\windows\system\explorer.exe
PID 2916 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe \??\c:\windows\system\explorer.exe
PID 2676 wrote to memory of 2368 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2676 wrote to memory of 2368 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2676 wrote to memory of 2368 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2676 wrote to memory of 2368 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2368 wrote to memory of 2288 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2368 wrote to memory of 2288 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2368 wrote to memory of 2288 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2368 wrote to memory of 2288 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2288 wrote to memory of 2572 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2288 wrote to memory of 2572 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2288 wrote to memory of 2572 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2288 wrote to memory of 2572 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2288 wrote to memory of 288 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2288 wrote to memory of 288 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2288 wrote to memory of 288 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2288 wrote to memory of 288 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2676 wrote to memory of 1072 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\taskhost.exe
PID 2676 wrote to memory of 1128 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\Dwm.exe
PID 2676 wrote to memory of 1152 N/A \??\c:\windows\system\explorer.exe C:\Windows\Explorer.EXE
PID 2676 wrote to memory of 2288 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\svchost.exe
PID 2676 wrote to memory of 2288 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\svchost.exe
PID 2676 wrote to memory of 1072 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\taskhost.exe
PID 2676 wrote to memory of 1128 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\Dwm.exe
PID 2676 wrote to memory of 1152 N/A \??\c:\windows\system\explorer.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\windows\system\explorer.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe

"C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 19:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2916-0-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2916-1-0x0000000002680000-0x000000000370E000-memory.dmp

memory/2916-6-0x0000000002680000-0x000000000370E000-memory.dmp

memory/2916-7-0x0000000002680000-0x000000000370E000-memory.dmp

memory/2916-4-0x0000000002680000-0x000000000370E000-memory.dmp

memory/2916-10-0x0000000002680000-0x000000000370E000-memory.dmp

memory/2916-8-0x0000000002680000-0x000000000370E000-memory.dmp

memory/2916-24-0x0000000000700000-0x0000000000702000-memory.dmp

memory/2916-25-0x0000000000700000-0x0000000000702000-memory.dmp

memory/2916-23-0x00000000007D0000-0x00000000007D1000-memory.dmp

memory/2916-21-0x00000000007D0000-0x00000000007D1000-memory.dmp

memory/2916-20-0x0000000000700000-0x0000000000702000-memory.dmp

memory/1072-13-0x0000000002010000-0x0000000002012000-memory.dmp

memory/2916-11-0x0000000002680000-0x000000000370E000-memory.dmp

memory/2916-9-0x0000000002680000-0x000000000370E000-memory.dmp

memory/2916-12-0x0000000002680000-0x000000000370E000-memory.dmp

memory/2916-28-0x0000000002680000-0x000000000370E000-memory.dmp

\Windows\system\explorer.exe

MD5 3c0247cac506cb11d03cb4912ba16d70
SHA1 a49f87cf189c3a3bcac30b3443a7abe14a0bd691
SHA256 b9b507a6597f26ba87c872254de9cfa316f494d2acdc81a6260bf0b1e3bd2ee8
SHA512 25339dcf1ee18d2366309331f4ba3c68fb7a9d6b7c0ad0c8bd4e82f29033a473cf683d793a348579a5473601efa27e2447f66464da0ce7037261c9f40f23207c

memory/2916-33-0x0000000005610000-0x0000000005651000-memory.dmp

memory/2916-27-0x0000000002680000-0x000000000370E000-memory.dmp

memory/2916-39-0x0000000005750000-0x0000000005791000-memory.dmp

memory/2676-41-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\system\spoolsv.exe

MD5 97cbe5b711a1e4ba9bfe7f3f56b2a1de
SHA1 880f3afb6ae7247ff763b09ff662044bf2d5ab07
SHA256 d785d954c54cc0ab3ee1179bdc71fa2fdc5d1809ab33212e88765fdb1d57657d
SHA512 0a8072587cd54be98bc65417bd475e118957877adab170d9f5a10e0120db08c6ca0ff47236c20d2fa06dd1a863dbe673ce3b5f1a8c3fd581f12318da1b880aac

memory/2916-34-0x0000000002680000-0x000000000370E000-memory.dmp

memory/2368-57-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2676-56-0x00000000033B0000-0x00000000033F1000-memory.dmp

C:\Windows\system\svchost.exe

MD5 0298d3c8e24ba4f117a139a8106e268d
SHA1 2738cb01df3d30cdd3e14ba17e2492986667398a
SHA256 ba2a1ae76d3c9511458811902d09e74cc4fa7a13af5ff3b47e88f4a44b5eae3b
SHA512 2263cc0050642e60f0485a799cf52af9210f6b56ac9769b6d512bb0ae5a215f9554a7e9a51aabaf6f145345c71438e17ef5b5f4bdeaf7f7c4dd046f77ccfdec3

memory/2676-50-0x00000000033B0000-0x00000000033F1000-memory.dmp

memory/2916-74-0x0000000002680000-0x000000000370E000-memory.dmp

memory/2916-78-0x0000000002680000-0x000000000370E000-memory.dmp

memory/2572-84-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2572-81-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2368-87-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2916-102-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 3f5e9e1d134bdd1c640cb6cf67675dcf
SHA1 1a2bb871f04a5deffe69580d96abaf055efbc928
SHA256 e94df1d34cd4e051992931c90da077cf514cdfa311441c5aafc2c06705595724
SHA512 df649d1c00505d1dbfbba381d4b8e5406752eefe0bd7db1f358caa1b563d33470da5e3d69f2fe4fce36ed34537570c0b574e7d56bd0924733a751fc408a032a1

C:\Windows\SYSTEM.INI

MD5 15dff41f3ca4be6835a2e520348dc73d
SHA1 555b2d92ae13946f0416d8d064d5d6ffa63eb105
SHA256 8d6dd2f0bf34e1ca623fc7d4b0476809587833105aec362acb059e888f1a0afd
SHA512 53c6ae79a1b7a6af5d96dc23f1ba23aa009c22b1ef8d0a639ef4637450b1790a22cc509b5af59ffedeecf4accf487ee32c57394ad481c11eaa56af470328453a

memory/2676-104-0x00000000033B0000-0x000000000443E000-memory.dmp

memory/2288-126-0x0000000002520000-0x0000000002521000-memory.dmp

memory/2676-107-0x00000000033B0000-0x000000000443E000-memory.dmp

memory/2676-120-0x0000000000550000-0x0000000000551000-memory.dmp

memory/2676-108-0x00000000033B0000-0x000000000443E000-memory.dmp

memory/2676-127-0x00000000033B0000-0x000000000443E000-memory.dmp

memory/2676-106-0x00000000033B0000-0x000000000443E000-memory.dmp

memory/2676-129-0x00000000033B0000-0x000000000443E000-memory.dmp

C:\hfyji.pif

MD5 cc3c654c48cd6400c85b99dedea71a4c
SHA1 e373bcb6ae064517da8b41fae03e38c6fc9e3536
SHA256 9cf9493edad5606f7e6fb274f2f82e6c7e3f1ce5acf6ecb90a9bc9b6bc7d6c5d
SHA512 c43dd3d8a2ab6dd926768fe995540afe25094da12550905a453f5fe3736688fa6c213c1a891e3e707d6e5a7dadf9e64bdf299aebba9362933b188397328cac36

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 19:31

Reported

2024-06-10 19:34

Platform

win10v2004-20240508-en

Max time kernel

23s

Max time network

57s

Command Line

"fontdrvhost.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\windows\system\explorer.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" \??\c:\windows\system\explorer.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" \??\c:\windows\system\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\windows\system\explorer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: \??\c:\windows\system\explorer.exe N/A
File opened (read-only) \??\L: \??\c:\windows\system\explorer.exe N/A
File opened (read-only) \??\M: \??\c:\windows\system\explorer.exe N/A
File opened (read-only) \??\E: \??\c:\windows\system\explorer.exe N/A
File opened (read-only) \??\G: \??\c:\windows\system\explorer.exe N/A
File opened (read-only) \??\H: \??\c:\windows\system\explorer.exe N/A
File opened (read-only) \??\I: \??\c:\windows\system\explorer.exe N/A
File opened (read-only) \??\J: \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3452 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe C:\Windows\system32\fontdrvhost.exe
PID 3452 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe C:\Windows\system32\fontdrvhost.exe
PID 3452 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe C:\Windows\system32\dwm.exe
PID 3452 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe C:\Windows\system32\sihost.exe
PID 3452 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe C:\Windows\system32\svchost.exe
PID 3452 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe C:\Windows\system32\taskhostw.exe
PID 3452 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe C:\Windows\Explorer.EXE
PID 3452 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe C:\Windows\system32\svchost.exe
PID 3452 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe C:\Windows\system32\DllHost.exe
PID 3452 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3452 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe C:\Windows\System32\RuntimeBroker.exe
PID 3452 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3452 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe C:\Windows\System32\RuntimeBroker.exe
PID 3452 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe C:\Windows\System32\RuntimeBroker.exe
PID 3452 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3452 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3452 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe \??\c:\windows\system\explorer.exe
PID 3452 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe \??\c:\windows\system\explorer.exe
PID 3452 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe \??\c:\windows\system\explorer.exe
PID 1548 wrote to memory of 1236 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1548 wrote to memory of 1236 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1548 wrote to memory of 1236 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1236 wrote to memory of 4436 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1236 wrote to memory of 4436 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1236 wrote to memory of 4436 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4436 wrote to memory of 2572 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4436 wrote to memory of 2572 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4436 wrote to memory of 2572 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4436 wrote to memory of 2316 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4436 wrote to memory of 2316 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4436 wrote to memory of 2316 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1548 wrote to memory of 776 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\fontdrvhost.exe
PID 1548 wrote to memory of 784 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\fontdrvhost.exe
PID 1548 wrote to memory of 316 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\dwm.exe
PID 1548 wrote to memory of 2504 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\sihost.exe
PID 1548 wrote to memory of 2520 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 2628 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\taskhostw.exe
PID 1548 wrote to memory of 3432 N/A \??\c:\windows\system\explorer.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3552 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 3808 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\DllHost.exe
PID 1548 wrote to memory of 3920 N/A \??\c:\windows\system\explorer.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1548 wrote to memory of 3988 N/A \??\c:\windows\system\explorer.exe C:\Windows\System32\RuntimeBroker.exe
PID 1548 wrote to memory of 4084 N/A \??\c:\windows\system\explorer.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1548 wrote to memory of 3864 N/A \??\c:\windows\system\explorer.exe C:\Windows\System32\RuntimeBroker.exe
PID 1548 wrote to memory of 5064 N/A \??\c:\windows\system\explorer.exe C:\Windows\System32\RuntimeBroker.exe
PID 1548 wrote to memory of 3664 N/A \??\c:\windows\system\explorer.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1548 wrote to memory of 2512 N/A \??\c:\windows\system\explorer.exe C:\Windows\System32\RuntimeBroker.exe
PID 1548 wrote to memory of 5100 N/A \??\c:\windows\system\explorer.exe C:\Windows\System32\RuntimeBroker.exe
PID 1548 wrote to memory of 4436 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\svchost.exe
PID 1548 wrote to memory of 4436 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\svchost.exe
PID 1548 wrote to memory of 776 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\fontdrvhost.exe
PID 1548 wrote to memory of 784 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\fontdrvhost.exe
PID 1548 wrote to memory of 316 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\dwm.exe
PID 1548 wrote to memory of 2504 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\sihost.exe
PID 1548 wrote to memory of 2520 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 2628 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\taskhostw.exe
PID 1548 wrote to memory of 3432 N/A \??\c:\windows\system\explorer.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3552 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 3808 N/A \??\c:\windows\system\explorer.exe C:\Windows\system32\DllHost.exe
PID 1548 wrote to memory of 3920 N/A \??\c:\windows\system\explorer.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1548 wrote to memory of 3988 N/A \??\c:\windows\system\explorer.exe C:\Windows\System32\RuntimeBroker.exe
PID 1548 wrote to memory of 4084 N/A \??\c:\windows\system\explorer.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1548 wrote to memory of 3864 N/A \??\c:\windows\system\explorer.exe C:\Windows\System32\RuntimeBroker.exe
PID 1548 wrote to memory of 5064 N/A \??\c:\windows\system\explorer.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" \??\c:\windows\system\explorer.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe

"C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 19:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 19:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 19:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Files

memory/3452-0-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3452-3-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/3452-5-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/3452-9-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/3452-4-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/3452-13-0x00000000021D0000-0x00000000021D2000-memory.dmp

memory/3452-12-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/3452-14-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/3452-11-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/1548-23-0x0000000000400000-0x0000000000441000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 e20a214bc4b34f67f1ec20e8cb5b34d0
SHA1 c6fd05c154acdc15d6ddc9550db99d6f0cbafb07
SHA256 0b5cf2aca37eb8ceec5b24d3457f1ad9154878dd19768f0de0f7e56946b5702e
SHA512 7da9fca822229756def3ffe1fa6653b213b69a93d089ceb3525231048110fbdadf78a0bbaecd7c91643dd26df3ca0dd098bcf9fb312883edfac6ccb034ff060c

memory/3452-10-0x00000000021D0000-0x00000000021D2000-memory.dmp

memory/3452-6-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/3452-8-0x00000000021F0000-0x00000000021F1000-memory.dmp

memory/3452-7-0x00000000021D0000-0x00000000021D2000-memory.dmp

memory/3452-1-0x0000000002960000-0x00000000039EE000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 c6dba8a6519b0c1db7959255da704ed7
SHA1 cc4993c7396ef22e6012ceb404f96c3423975ed6
SHA256 d289d3c2caedbcd01ddda6ce3bfed416528de05e303641f19ac9328bdacd7274
SHA512 63c33b2fcee43e44ddadf601740029ec8f4d7174aec7175369233975382dd588b4c7f8ede10a480841a1513dbb0584f57c7035002d344ccd0892bf343b52e3cf

memory/1236-34-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3452-25-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/3452-28-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/3452-35-0x0000000002960000-0x00000000039EE000-memory.dmp

C:\Windows\System\svchost.exe

MD5 311456298315bf7cdf99b6e0bcf90aa0
SHA1 c5e395051599fb01656e042fb8ff0726b740df7f
SHA256 ef91e8fca886157260a0ebaef3c54498e4006d1713e33735ffd0e3019c6dd391
SHA512 96a1ca86018cba2799ac1064932877a86534271af4b7f18475c1f6ea654df29ea5beb924c6400e923669bfaf268abe8f24fb1a0b97868924ffab7375bc984d38

memory/4436-44-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2572-52-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1236-55-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3452-62-0x00000000021D0000-0x00000000021D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 d0f680855eb13f2a27e5bb7645b7d397
SHA1 5e81030282e95d4593704cb4d69027f167660ddd
SHA256 156682bd349fbe3348ce68891dbf8f07a4c5063feea0f28240b8ad749ebd2953
SHA512 bff20f308a7380d74cb072da35bf1a4f52271ca62f7030aec5812e0a1a4a68f012d915c60721e07e0b0f805a7381b94859c4827788f9febf17b1b74b3b60e580

memory/3452-59-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/3452-71-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 5aaf82d4a06742ad34efaf4ca399855d
SHA1 2854e519eaa0e2bb97e1ff743d80440550a206f9
SHA256 caf552b8112733ea8a49ee7c3abee5d1edc46501415ded23f309fdd20d5bb720
SHA512 721afb905c66796e48b564a75275f9b7e84c605bbef088e82e7d27cfaa375ea122b13e1bf4ccbb5b5ae4ee2f549ac533bb1cf055ef175c8daad7d47c7c557f36

memory/1548-74-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/1548-82-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/1548-83-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/1548-85-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/1548-84-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/1548-81-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/4436-87-0x0000000002ED0000-0x0000000002ED2000-memory.dmp

memory/1548-86-0x0000000000650000-0x0000000000652000-memory.dmp

memory/1548-75-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/1548-76-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/1548-72-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/4436-80-0x0000000004010000-0x0000000004011000-memory.dmp

memory/1548-78-0x0000000002860000-0x0000000002861000-memory.dmp

memory/1548-88-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/1548-89-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/1548-90-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/1548-91-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/1548-92-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/1548-94-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/1548-95-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/1548-97-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/1548-96-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/1548-100-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/1548-99-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/1548-103-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/1548-104-0x00000000035A0000-0x000000000462E000-memory.dmp

memory/1548-107-0x00000000035A0000-0x000000000462E000-memory.dmp

C:\qhwatj.exe

MD5 7c6ea3604756d4e0d4113fa422f411f5
SHA1 f2231d0a91321ab20120fa1ba6b4e3720e0d8481
SHA256 78ad660a2d4c21530032a37de21abae7390c402e2dc687a53b4fa88ca06bcd8c
SHA512 ca28bc08cba4a462381c2ffbe825490e39d929b3577d5878748753848b842b6d08f55f6db3d1ce2772afc797118f243a6b7b16851682044639f903d485405dbe

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e