Malware Analysis Report

2024-09-11 12:21

Sample ID 240614-y1w4qsyajk
Target 3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017
SHA256 3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017

Threat Level: Known bad

The file 3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

Windows security bypass

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Sality

UAC bypass

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

Windows security modification

UPX packed file

Checks whether UAC is enabled

Enumerates connected drives

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Replication Through Removable Media
T1091
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Replication Through Removable Media
T1091
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 20:15

Signatures

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 20:15

Reported

2024-06-14 20:18

Platform

win7-20231129-en

Max time kernel

126s

Max time network

123s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\taskhost.exe
PID 3040 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\Dwm.exe
PID 3040 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\Explorer.EXE
PID 3040 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\DllHost.exe
PID 3040 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\taskhost.exe
PID 3040 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\Dwm.exe
PID 3040 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\Explorer.EXE
PID 3040 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\taskhost.exe
PID 3040 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\Dwm.exe
PID 3040 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\Explorer.EXE
PID 3040 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\taskhost.exe
PID 3040 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\Dwm.exe
PID 3040 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\Explorer.EXE
PID 3040 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\taskhost.exe
PID 3040 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\Dwm.exe
PID 3040 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\Explorer.EXE
PID 3040 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\taskhost.exe
PID 3040 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\Dwm.exe
PID 3040 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\Explorer.EXE
PID 3040 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\taskhost.exe
PID 3040 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\Dwm.exe
PID 3040 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\Explorer.EXE
PID 3040 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\taskhost.exe
PID 3040 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\Dwm.exe
PID 3040 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\Explorer.EXE
PID 3040 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\taskhost.exe
PID 3040 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\Dwm.exe
PID 3040 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\Explorer.EXE
PID 3040 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\taskhost.exe
PID 3040 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\Dwm.exe
PID 3040 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\Explorer.EXE
PID 3040 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\taskhost.exe
PID 3040 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\Dwm.exe
PID 3040 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\Explorer.EXE
PID 3040 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\taskhost.exe
PID 3040 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\Dwm.exe
PID 3040 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\Explorer.EXE
PID 3040 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\taskhost.exe
PID 3040 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\Dwm.exe
PID 3040 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe

"C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe"

Network

N/A

Files

memory/3040-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3040-3-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-6-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-8-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-25-0x0000000004720000-0x0000000004722000-memory.dmp

memory/3040-9-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-10-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-24-0x0000000004720000-0x0000000004722000-memory.dmp

memory/3040-7-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-5-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-23-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-4-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-22-0x0000000004870000-0x0000000004871000-memory.dmp

memory/3040-20-0x0000000004870000-0x0000000004871000-memory.dmp

memory/3040-19-0x0000000004720000-0x0000000004722000-memory.dmp

memory/1260-11-0x0000000000320000-0x0000000000322000-memory.dmp

memory/3040-26-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-28-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-27-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-29-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-30-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-32-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-33-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-34-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-36-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-38-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-50-0x0000000002F10000-0x0000000002F12000-memory.dmp

memory/3040-49-0x0000000003F60000-0x0000000003F61000-memory.dmp

memory/3040-51-0x0000000002F10000-0x0000000002F12000-memory.dmp

memory/3040-52-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-53-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-55-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-58-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-60-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-62-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-64-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-65-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-68-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/3040-77-0x0000000004720000-0x0000000004722000-memory.dmp

memory/3040-101-0x0000000002F10000-0x0000000002F12000-memory.dmp

F:\pfeqnw.pif

MD5 214072064edef5fa74d387f5f83de872
SHA1 c61d607d45742ff7bb6c84a230907afefb583631
SHA256 6cb64a6efc564263ca9d3fb5826b6b176d8c99a73867fa2d1ed173bc31dc9047
SHA512 b996b10cef73b6b92d9ef287c61365ced18751e700bfa4e6d109afadaf9c7b09ec729d805307e822753967b499d400c4e5666cea87629b8607df48659d2aedfb

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 20:15

Reported

2024-06-14 20:18

Platform

win10v2004-20240508-en

Max time kernel

122s

Max time network

153s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\fontdrvhost.exe
PID 2892 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\fontdrvhost.exe
PID 2892 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\dwm.exe
PID 2892 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\sihost.exe
PID 2892 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\svchost.exe
PID 2892 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\taskhostw.exe
PID 2892 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\Explorer.EXE
PID 2892 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\svchost.exe
PID 2892 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\DllHost.exe
PID 2892 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2892 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\System32\RuntimeBroker.exe
PID 2892 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2892 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\System32\RuntimeBroker.exe
PID 2892 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\System32\RuntimeBroker.exe
PID 2892 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2892 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2892 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2892 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2892 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2892 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2892 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\System32\RuntimeBroker.exe
PID 2892 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\System32\RuntimeBroker.exe
PID 2892 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2892 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\fontdrvhost.exe
PID 2892 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\fontdrvhost.exe
PID 2892 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\dwm.exe
PID 2892 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\sihost.exe
PID 2892 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\svchost.exe
PID 2892 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\taskhostw.exe
PID 2892 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\Explorer.EXE
PID 2892 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\svchost.exe
PID 2892 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\DllHost.exe
PID 2892 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2892 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\System32\RuntimeBroker.exe
PID 2892 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2892 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\System32\RuntimeBroker.exe
PID 2892 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\System32\RuntimeBroker.exe
PID 2892 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2892 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2892 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2892 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2892 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2892 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2892 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\System32\RuntimeBroker.exe
PID 2892 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\System32\RuntimeBroker.exe
PID 2892 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2892 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\fontdrvhost.exe
PID 2892 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\fontdrvhost.exe
PID 2892 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\dwm.exe
PID 2892 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\sihost.exe
PID 2892 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\svchost.exe
PID 2892 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\taskhostw.exe
PID 2892 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\Explorer.EXE
PID 2892 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\svchost.exe
PID 2892 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\system32\DllHost.exe
PID 2892 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2892 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\System32\RuntimeBroker.exe
PID 2892 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2892 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\System32\RuntimeBroker.exe
PID 2892 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\System32\RuntimeBroker.exe
PID 2892 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2892 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2892 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2892 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x25c,0x7ffe970dceb8,0x7ffe970dcec4,0x7ffe970dced0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2276,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=2272 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1952,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=3272 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2340,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=3636 /prefetch:8

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe

"C:\Users\Admin\AppData\Local\Temp\3243e36e74b7c6b8ce3fe4282a39631ccd0a418e7b3467d8629059c143595017.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3444,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2892-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2892-1-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-4-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-3-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-8-0x0000000003FA0000-0x0000000003FA1000-memory.dmp

memory/2892-11-0x00000000038C0000-0x00000000038C2000-memory.dmp

memory/2892-6-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-9-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-12-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-13-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-14-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-10-0x00000000038C0000-0x00000000038C2000-memory.dmp

memory/2892-7-0x00000000038C0000-0x00000000038C2000-memory.dmp

memory/2892-5-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-15-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-16-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-17-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-18-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-19-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-21-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-22-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-23-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-25-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-26-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-29-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-28-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-33-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-36-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-37-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-38-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-40-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-42-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-44-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-46-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-53-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-54-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-56-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-57-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-58-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-60-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-61-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-64-0x00000000038C0000-0x00000000038C2000-memory.dmp

memory/2892-65-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-66-0x0000000002180000-0x000000000320E000-memory.dmp

memory/2892-69-0x0000000002180000-0x000000000320E000-memory.dmp

F:\pjtg.pif

MD5 d2c516002632d5e6316465f4d2412431
SHA1 e1a020b178a6d920b8f2fce9549fe7879dada618
SHA256 14d44f7d383b989a7f5d2969aa7d8f9977aefa5b1a999db3b6a639892ee49c99
SHA512 6802b5cb8c1971ccaf63fd16a3ff8a111564895116420690ed1995862e02727c7c7fadb21c3e2789c082762374be1ebaee07227c9cc5ddcdbd3d0b4d79c640b1