Malware Analysis Report

2024-09-11 11:46

Sample ID 240613-ccdftszfrf
Target bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe
SHA256 bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4
Tags
sality backdoor evasion trojan upx bootkit persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4

Threat Level: Known bad

The file bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx bootkit persistence

Sality

Windows security bypass

UAC bypass

Modifies firewall policy service

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX packed file

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

System policy modification

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Replication Through Removable Media
T1091
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Replication Through Removable Media
T1091
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 01:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 01:55

Reported

2024-06-13 01:58

Platform

win7-20240220-en

Max time kernel

122s

Max time network

124s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Windows\system32\taskhost.exe
PID 2172 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Windows\system32\Dwm.exe
PID 2172 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Windows\Explorer.EXE
PID 2172 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe

"C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe"

Network

N/A

Files

memory/2172-0-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/2172-6-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2172-5-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2172-1-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2172-4-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2172-7-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2172-3-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2172-8-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2172-11-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2172-10-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2172-9-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2172-28-0x0000000075300000-0x0000000075301000-memory.dmp

memory/2172-27-0x0000000002F00000-0x0000000002F01000-memory.dmp

memory/2172-22-0x0000000002F00000-0x0000000002F01000-memory.dmp

memory/2172-21-0x0000000000720000-0x0000000000722000-memory.dmp

memory/1116-12-0x00000000020B0000-0x00000000020B2000-memory.dmp

memory/2172-29-0x0000000000720000-0x0000000000722000-memory.dmp

memory/2172-31-0x00000000752F0000-0x0000000075370000-memory.dmp

memory/2172-30-0x00000000752F0000-0x0000000075370000-memory.dmp

memory/2172-32-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2172-33-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2172-39-0x0000000000720000-0x0000000000722000-memory.dmp

memory/2172-34-0x0000000001E60000-0x0000000002EEE000-memory.dmp

memory/2172-48-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/2172-49-0x00000000752F0000-0x0000000075370000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 01:55

Reported

2024-06-13 01:58

Platform

win10v2004-20240508-en

Max time kernel

121s

Max time network

127s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5052 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Windows\system32\fontdrvhost.exe
PID 5052 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Windows\system32\fontdrvhost.exe
PID 5052 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Windows\system32\dwm.exe
PID 5052 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Windows\system32\sihost.exe
PID 5052 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Windows\system32\svchost.exe
PID 5052 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Windows\system32\taskhostw.exe
PID 5052 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Windows\Explorer.EXE
PID 5052 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Windows\system32\svchost.exe
PID 5052 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Windows\system32\DllHost.exe
PID 5052 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 5052 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Windows\System32\RuntimeBroker.exe
PID 5052 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 5052 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Windows\System32\RuntimeBroker.exe
PID 5052 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Windows\System32\RuntimeBroker.exe
PID 5052 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 5052 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Windows\system32\backgroundTaskHost.exe
PID 5052 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1416 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe

"C:\Users\Admin\AppData\Local\Temp\bc5cc5828933c52cfae2c801627e7d212104193e65c0cb1724dd7a44f11703f4.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://127.0.0.1:88/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0b6f46f8,0x7ffc0b6f4708,0x7ffc0b6f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,2827998327871215055,10884496134946792813,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,2827998327871215055,10884496134946792813,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,2827998327871215055,10884496134946792813,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827998327871215055,10884496134946792813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827998327871215055,10884496134946792813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,2827998327871215055,10884496134946792813,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,2827998327871215055,10884496134946792813,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827998327871215055,10884496134946792813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827998327871215055,10884496134946792813,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827998327871215055,10884496134946792813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827998327871215055,10884496134946792813,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,2827998327871215055,10884496134946792813,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2984 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.netbox.cn udp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:88 tcp
N/A 127.0.0.1:88 tcp

Files

memory/5052-0-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/5052-1-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-4-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-5-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-6-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-9-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-7-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-10-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-8-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-13-0x0000000003880000-0x0000000003881000-memory.dmp

memory/5052-12-0x0000000003870000-0x0000000003872000-memory.dmp

memory/5052-15-0x0000000003870000-0x0000000003872000-memory.dmp

memory/5052-14-0x0000000003870000-0x0000000003872000-memory.dmp

memory/5052-11-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-19-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-20-0x0000000002440000-0x00000000034CE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4158365912175436289496136e7912c2
SHA1 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA512 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ce4c898f8fc7601e2fbc252fdadb5115
SHA1 01bf06badc5da353e539c7c07527d30dccc55a91
SHA256 bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA512 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

\??\pipe\LOCAL\crashpad_1416_OYDEZGDLYEYGHEAV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/5052-35-0x0000000002440000-0x00000000034CE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8f99a35313393b16af58a48169c1a1dc
SHA1 6bbb272dcf400e6d853a60ee826ef2c89b4d6c4f
SHA256 323cfd8f90df275883453c9a99bec78fd186a9b4df197b3a9a40c0f6e0b1e631
SHA512 f0d692a0dbac38c753342dc45f380c13b06039da4c353ce2062b734fbed3b53db4d135b486ae644d54076d7d415b2711e3b3d722bf21333141e3a119476eb309

memory/5052-46-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-47-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-49-0x0000000002440000-0x00000000034CE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/5052-58-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-61-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-67-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-68-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-70-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-72-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/5052-73-0x0000000002440000-0x00000000034CE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1d261a1f76830c413c5d64c0fd0ffa25
SHA1 6def02c8262e719063acccd59f70b930c095860f
SHA256 fd2bd50a8a7204ab349cb448c00fccedfa645661da5a9903d9b59045f3b73131
SHA512 ef04db89c5644a67212eafd6a193e70026399267ff33ed75b2d654a2e7290abb25175cc345468bb2ee29e6d13a80ac8cd73720c4dfcbb866481782e304d3d6a6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 74a344dba4f38fa05bbcd488dc73870c
SHA1 30e7c32fd18363aca97a24eb52f10b4bbb2f7c76
SHA256 dfa9cb7796dcf857130618a761f0c5c1303fa113d7b84cc6275f3dafd9a8fba3
SHA512 5f9751a3719788c920ecc408c6a97932426690d34294b4c9f1d381a9bf0d5c882a4a8d907d2c16383deb53b20b03ba2216c5d7ab9dd0e22b37fcb74f51548559

memory/5052-90-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-93-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-94-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-96-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-98-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-99-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-105-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-106-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-108-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-112-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-114-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-116-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-117-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-120-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-121-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-122-0x0000000003870000-0x0000000003872000-memory.dmp

memory/5052-125-0x0000000002440000-0x00000000034CE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d57a9c9099bc71b3a13841825233670e
SHA1 9f6ed0ba129783248048b3b5ae63e94961430294
SHA256 2e8fb3afc95c38d5c06fcfacac10c1a564a7937ff29bce2a5c81d09e1a83ebcb
SHA512 c8973966c713ed104f0ce52179f93d624394f4a7d934adfb6d4311aeddf3b27613848295ee9a43ee61778475e9579c12bae51824a39ad85ff5c39b12aef354b1

memory/5052-144-0x0000000002440000-0x00000000034CE000-memory.dmp

memory/5052-145-0x0000000002440000-0x00000000034CE000-memory.dmp

C:\vpvjgm.exe

MD5 cc95880823c9de87802810559e528600
SHA1 a9aab870b6b1f455f235160da2415278d8165622
SHA256 3ebd230aaba917db8a6679a959dbdde9cd3d4390120cf5e67ce8c62d896e87f9
SHA512 32fd2e0aa16ca0b3bab74c2710be9ed7a94b57b2f8aeda602a37f0a14d31527c84243d77afe779ea57405a7346cfd2fff78fd735b09de82fdc5f06850cd36df8