Malware Analysis Report

2024-09-11 12:45

Sample ID 240611-w7aszaxaml
Target b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad
SHA256 b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad
Tags
sality backdoor bootkit evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad

Threat Level: Known bad

The file b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad was found to be: Known bad.

Malicious Activity Summary

sality backdoor bootkit evasion persistence trojan upx

UAC bypass

Sality

Windows security bypass

Modifies firewall policy service

UPX packed file

Windows security modification

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Checks whether UAC is enabled

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Replication Through Removable Media
T1091
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Replication Through Removable Media
T1091
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 18:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 18:33

Reported

2024-06-11 18:35

Platform

win7-20240221-en

Max time kernel

123s

Max time network

126s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f769627 C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "11000" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\taskhost.exe
PID 2892 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\Dwm.exe
PID 2892 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\Explorer.EXE
PID 2892 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\DllHost.exe
PID 2892 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\taskhost.exe
PID 2892 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\Dwm.exe
PID 2892 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\Explorer.EXE
PID 2892 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\taskhost.exe
PID 2892 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\Dwm.exe
PID 2892 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\Explorer.EXE
PID 2892 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\taskhost.exe
PID 2892 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\Dwm.exe
PID 2892 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\Explorer.EXE
PID 2892 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\taskhost.exe
PID 2892 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\Dwm.exe
PID 2892 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\Explorer.EXE
PID 2892 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\taskhost.exe
PID 2892 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\Dwm.exe
PID 2892 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\Explorer.EXE
PID 2892 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\taskhost.exe
PID 2892 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\Dwm.exe
PID 2892 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\Explorer.EXE
PID 2892 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\taskhost.exe
PID 2892 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\Dwm.exe
PID 2892 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\Explorer.EXE
PID 2892 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\taskhost.exe
PID 2892 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\Dwm.exe
PID 2892 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\Explorer.EXE
PID 2892 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\taskhost.exe
PID 2892 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\Dwm.exe
PID 2892 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\Explorer.EXE
PID 2892 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\taskhost.exe
PID 2892 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\Dwm.exe
PID 2892 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\Explorer.EXE
PID 2892 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\taskhost.exe
PID 2892 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\Dwm.exe
PID 2892 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe

"C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 mxreport.whooyan.com udp
CN 47.95.30.97:80 mxreport.whooyan.com tcp
US 8.8.8.8:53 down1.thorzip.muxin.fun udp
CN 42.177.83.82:80 down1.thorzip.muxin.fun tcp
CN 42.177.83.111:80 down1.thorzip.muxin.fun tcp
CN 47.95.30.97:80 mxreport.whooyan.com tcp
CN 112.84.131.219:80 down1.thorzip.muxin.fun tcp
CN 42.177.83.115:80 down1.thorzip.muxin.fun tcp
CN 42.177.83.224:80 down1.thorzip.muxin.fun tcp
CN 211.97.81.229:80 down1.thorzip.muxin.fun tcp
CN 113.201.158.139:80 down1.thorzip.muxin.fun tcp
CN 47.95.30.97:80 mxreport.whooyan.com tcp
CN 47.95.30.97:80 mxreport.whooyan.com tcp
CN 47.95.30.97:80 mxreport.whooyan.com tcp
CN 47.95.30.97:80 mxreport.whooyan.com tcp

Files

memory/2892-0-0x0000000000400000-0x0000000000667000-memory.dmp

memory/2892-1-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-3-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-21-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-19-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2892-6-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-4-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-17-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2892-16-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1120-10-0x0000000001B40000-0x0000000001B42000-memory.dmp

memory/2892-8-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-7-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-5-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-22-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-20-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-9-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-25-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2892-29-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2892-30-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-31-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-32-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-34-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-33-0x0000000002160000-0x000000000321A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0F76AA53_Rar\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe

MD5 1076527b950fccd0a8aefc67f9ee0374
SHA1 68c6279fa87bf698dab426426bba358da33d18bb
SHA256 9805d16f22d28158ccb5a0b5ec9b7d528f4a1c3f85446f752c2a1d74c441178d
SHA512 fc5f2e124815e652e0a441fdfcb24ae6f85f34846abdfec25bc77f53f8522a3d783e027f8fe391017ebd3c5e8d451908a66b34b7eb7ac15d6c8f7ab219fa8078

memory/2892-42-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-43-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-45-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-47-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-48-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-57-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-58-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-59-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-65-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-64-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-69-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-70-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-73-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-79-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-80-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-100-0x0000000002160000-0x000000000321A000-memory.dmp

memory/2892-105-0x00000000001E0000-0x00000000001E2000-memory.dmp

F:\vvifle.pif

MD5 16cd3e4adfa6e8cf997f98644f3c806f
SHA1 89e6acce6d04bd716b6254a8a3ca8d3ff84a54f2
SHA256 59bd995f7be083f22fccc4540f57a36b99ad44da8c295b9021d426b1355eb44d
SHA512 4e52575d282d9ffa63318ada97be6d6f7508bf96062e61ba343f09433d43f50d1d759b21f4183ce9313f3a0252a726b2f88be2c2864fb28f82f49b86b1c31364

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 18:33

Reported

2024-06-11 18:35

Platform

win10v2004-20240508-en

Max time kernel

123s

Max time network

152s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57dfc1 C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "11000" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "1" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 60 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\fontdrvhost.exe
PID 60 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\fontdrvhost.exe
PID 60 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\dwm.exe
PID 60 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\sihost.exe
PID 60 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\svchost.exe
PID 60 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\taskhostw.exe
PID 60 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\Explorer.EXE
PID 60 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\svchost.exe
PID 60 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\DllHost.exe
PID 60 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 60 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 60 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 60 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\backgroundTaskHost.exe
PID 60 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\fontdrvhost.exe
PID 60 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\fontdrvhost.exe
PID 60 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\dwm.exe
PID 60 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\sihost.exe
PID 60 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\svchost.exe
PID 60 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\taskhostw.exe
PID 60 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\Explorer.EXE
PID 60 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\svchost.exe
PID 60 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\DllHost.exe
PID 60 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 60 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 60 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 60 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\fontdrvhost.exe
PID 60 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\fontdrvhost.exe
PID 60 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\dwm.exe
PID 60 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\sihost.exe
PID 60 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\svchost.exe
PID 60 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\taskhostw.exe
PID 60 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\Explorer.EXE
PID 60 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\svchost.exe
PID 60 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\system32\DllHost.exe
PID 60 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 60 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 60 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 60 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7fffa353ceb8,0x7fffa353cec4,0x7fffa353ced0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2280,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=2276 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1936,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=3276 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2388,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=3392 /prefetch:8

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe

"C:\Users\Admin\AppData\Local\Temp\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 mxreport.whooyan.com udp
US 8.8.8.8:53 down1.thorzip.muxin.fun udp
US 8.8.8.8:53 mxreport.whooyan.com udp
US 8.8.8.8:53 mxreport.whooyan.com udp

Files

memory/60-0-0x0000000000400000-0x0000000000667000-memory.dmp

memory/60-3-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-4-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-7-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-5-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-15-0x0000000003A10000-0x0000000003A12000-memory.dmp

memory/60-14-0x00000000040E0000-0x00000000040E1000-memory.dmp

memory/60-13-0x0000000003A10000-0x0000000003A12000-memory.dmp

memory/60-1-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-16-0x0000000003A10000-0x0000000003A12000-memory.dmp

memory/60-6-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-18-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-17-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-19-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-21-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-20-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-23-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-22-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-24-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-25-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-26-0x00000000024D0000-0x000000000358A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0E57F51E_Rar\b69c5746836e8e9af15cf474730b0c21fdeaf85f68d8790949d3962a06fa89ad.exe

MD5 1076527b950fccd0a8aefc67f9ee0374
SHA1 68c6279fa87bf698dab426426bba358da33d18bb
SHA256 9805d16f22d28158ccb5a0b5ec9b7d528f4a1c3f85446f752c2a1d74c441178d
SHA512 fc5f2e124815e652e0a441fdfcb24ae6f85f34846abdfec25bc77f53f8522a3d783e027f8fe391017ebd3c5e8d451908a66b34b7eb7ac15d6c8f7ab219fa8078

memory/60-34-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-35-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-36-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-38-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-39-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-41-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-43-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-46-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-48-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-51-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-52-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-55-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-56-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-58-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-60-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-62-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-64-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-66-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-69-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-76-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-77-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-79-0x0000000003A10000-0x0000000003A12000-memory.dmp

memory/60-80-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/60-84-0x00000000024D0000-0x000000000358A000-memory.dmp

F:\mhheqf.pif

MD5 3c29abdd8703942752d4c962e8021d31
SHA1 efec3c5fc49207f673882d9b8fae6269405e1efa
SHA256 e7d9c512b575f5db183a1b760cdcdd176b57df92bcdf2bdf269c7c19184c13b7
SHA512 60628ca12bf3814024e92159d1c23254fcac305ee3d70f909576a955e937d6ec94f17e70969dba4202c12fbf79c380df6c2a7419da7aab808501ba9e7fab27c4