Malware Analysis Report

2024-09-11 11:54

Sample ID 240616-v2jy1szgpg
Target aspweb88.exe
SHA256 a5faf4e08934c3e4dd4bc630084f0a6839bc4d454ea369b47ec955c2f62f8f16
Tags
sality backdoor bootkit evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a5faf4e08934c3e4dd4bc630084f0a6839bc4d454ea369b47ec955c2f62f8f16

Threat Level: Known bad

The file aspweb88.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor bootkit evasion persistence trojan upx

Sality

Modifies firewall policy service

Windows security bypass

UAC bypass

Windows security modification

UPX packed file

Writes to the Master Boot Record (MBR)

Checks whether UAC is enabled

Enumerates connected drives

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System policy modification

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Replication Through Removable Media
T1091
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Replication Through Removable Media
T1091
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 17:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 17:29

Reported

2024-06-16 17:31

Platform

win7-20240611-en

Max time kernel

139s

Max time network

139s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a8076000000000200000000001066000000010000200000009e3ad5785b4b6c80a5c9d957960dcb6ab0939c9559bea59dbe324e401b99e17e000000000e80000000020000200000009872da933b074117a1698b41b1c623beba4fff77c37888b9210f180b8bd43ef52000000074cc24a019fd5f5c7cbf922bd2ab0b0e4a0bb19e0c7ac94d21f5dccc1e2657164000000049f1050ccf4ba4f17d8a3c56e794a83436df5ca34b5edacc62652cf65242abe0e224466be0d2a2a2a3801c21461fba83921adab1199e609a1921e7f4721fe5e8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424720823" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000bae80c0f24cc7bb1ed63a056518fe2899dcd477246bf10011a5b6a6053ebafd7000000000e8000000002000020000000c981d09d739166a66d025774352693bef900737e3538ecbbdaf43e2ef53b7ab190000000d66f097179f742d99b231a177c1aa4adc8e1710aba605fdb541a0fd834895033e4094d5f065fc9eed7d8fa199af782ebf553b7b99498ea547fae26d3be9f5fd4c69bcb19663ebc8c9dc21694c4021cae94a056058cadbca2a3885866f8355ac51ac0d22b7b1bbe4b71b6097c749e3f7a556104801dabb9e09f004cfeb2be84c8555eb7b49cf97321719b7cff3784d3c6400000005e0f4f9daaafd9092b8598ecf1cc8d7f97e52162db529229af225eae1dec6e18a66750adbeac0761f4d7de142342418d860cebf878fe7df0c0e584fa81dd6c4f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5008acc912c0da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F241E4B1-2C05-11EF-B3FC-D2ACEE0A983D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\taskhost.exe
PID 2860 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\Dwm.exe
PID 2860 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\Explorer.EXE
PID 2860 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\DllHost.exe
PID 2860 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2860 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2860 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2860 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2408 wrote to memory of 2952 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2408 wrote to memory of 2952 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2408 wrote to memory of 2952 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2408 wrote to memory of 2952 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\aspweb88.exe

"C:\Users\Admin\AppData\Local\Temp\aspweb88.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://127.0.0.1:88/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2408 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
N/A 127.0.0.1:88 tcp
N/A 127.0.0.1:88 tcp
N/A 127.0.0.1:88 tcp
N/A 127.0.0.1:88 tcp
N/A 127.0.0.1:88 tcp
N/A 127.0.0.1:88 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2860-31-0x0000000001FE0000-0x000000000306E000-memory.dmp

memory/2860-30-0x00000000746E0000-0x000000007471B000-memory.dmp

memory/2860-29-0x00000000746E1000-0x00000000746E2000-memory.dmp

memory/2860-23-0x0000000001FE0000-0x000000000306E000-memory.dmp

memory/2860-7-0x0000000001FE0000-0x000000000306E000-memory.dmp

memory/2860-16-0x0000000001FE0000-0x000000000306E000-memory.dmp

memory/2860-26-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2860-25-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2860-4-0x0000000001FE0000-0x000000000306E000-memory.dmp

memory/2860-5-0x0000000001FE0000-0x000000000306E000-memory.dmp

memory/2860-24-0x0000000000670000-0x0000000000671000-memory.dmp

memory/2860-8-0x0000000001FE0000-0x000000000306E000-memory.dmp

memory/2860-20-0x0000000000670000-0x0000000000671000-memory.dmp

memory/2860-19-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2860-6-0x0000000001FE0000-0x000000000306E000-memory.dmp

memory/2860-3-0x0000000001FE0000-0x000000000306E000-memory.dmp

memory/1056-9-0x0000000001C60000-0x0000000001C62000-memory.dmp

memory/2860-1-0x0000000001FE0000-0x000000000306E000-memory.dmp

memory/2860-0-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/2860-34-0x0000000001FE0000-0x000000000306E000-memory.dmp

memory/2860-32-0x0000000001FE0000-0x000000000306E000-memory.dmp

memory/2860-35-0x0000000001FE0000-0x000000000306E000-memory.dmp

memory/2860-36-0x0000000001FE0000-0x000000000306E000-memory.dmp

memory/2860-53-0x00000000746E0000-0x000000007471B000-memory.dmp

memory/2860-55-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/2860-56-0x0000000001FE0000-0x000000000306E000-memory.dmp

memory/2860-47-0x00000000003F0000-0x00000000003F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9531.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar95D0.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a640348e5dee07d344f385211f1eba11
SHA1 e9b3e48aa2c0b0aae4d843b112f718866068d633
SHA256 fecfd47f2597b3bdde0af0c3cccc71c752ac8026c5f248b3677e012003842e62
SHA512 1029a2e09c0c79eaee65f569426adad76df4b8e7a9dcdaf21b38a9a12bb36c3978cb5de7ba0474f8cd0e1cea0d38a67169870cb4d1360f15cd99bfbe6af572ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf5dc3037bd06de19074bc099c52824f
SHA1 378e73d56395a8c0420188c9ba1bcb5de6846fc3
SHA256 6ad313dc6c76628639125f189a661e42777a0f5dc5029c1151136650d4c35595
SHA512 09170dd81c5b8e84239a70409ab4cdefea302ae48684051bd295f1f11c1efbdc98504220b0f2bd85cfc43c8b8e4f9460343c0cd5f8d51c3115c2c96fffc9485a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a89d157cb76f7471b94be7ec4599a413
SHA1 cd51f394c31298b7e1ab060b4d71ca3bf885c7ef
SHA256 223fa6043415b5898efeea21f4c8d3e04e7151f527ebf196368a9805389e1506
SHA512 7f85a455552b9093c30a6dda97f905010d685e9f060510c16a7aa8eb3d38cce84d7bf92f8e61899b4c6eb7169ce0d0100b92ad7528659f242b5c11891de245ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f6b1ed94da62d620f9370bf3dd252a84
SHA1 2d990f833b7bddd16064b975c70e726d5406ea32
SHA256 a50b4cd3455df63cc7eafd3f4863f4758a26a6845c94565e3e6dfdcc64c325e8
SHA512 8ee370e4e20935eec0fa4c042c08b7099e3625f8d00e6b357db319224230c6f4780653d33df07088172ce52ea81a45b7ecbc9b7d95eafd7294eb41c43db927c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f2c19ea697e60f6fc9d521cc00a3f6a
SHA1 15c000b81c4cc1692691e2ba16626ff7f34f7d7f
SHA256 c728e59797d3e20fa64089930d1bda8d7557ef5dc75662cbb00dcb00c9082801
SHA512 87ddbfb3f8f3fb195ef2c7f589547132b347c9910921edd3d04ff478eb41814e3a6d2df248fe6eeb4d5b6359d015217e1faf7f70de1f21ba7d440eac1430309f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bdaa05540816425343a73f6a04dd7c9d
SHA1 dfe18b2a8d22a8e9110c44b25909151834787fc8
SHA256 a5d888454e57283e71dd258858e68189a4b48701a7171f0e847b50c5c6766d25
SHA512 b906a859899246833adf266792f1dae838962923ac9fff555c47a3564cdfb51f6e64fbfd1f0ef553029891532d4d2f4b4b5c3104775e68a396a83b4267c7e307

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d194847d49dbb3632ded8e194f2f02d0
SHA1 2586c01efe92137b532662d113427d2621a46ace
SHA256 ea7724181ee4875becf36b3e27cff19b6803834e40cc5e7575b9b697c75cd5e6
SHA512 4bae6a51cf919383862bcecba283d0149ec109457b49798340c02e57d2d33d235fd0b1fa1b98e38fd32fafc790b089710ce1aeb5dd57fea10999d475a60e0394

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 022401e73e7421c7a447daaeb68cf271
SHA1 4046f5b41eece7186ec7e3e3ce7473035ac6d8e4
SHA256 194c7f76b0ac9da5bc743149256351348df926ba4885ff16d7d4b8d6e1df7def
SHA512 da7e330dc107bf3a1269b441680f0df23d3c1bcac00fb13b7ed2e918c4f9a4790f515059a6df7630972b724be07ff508cfa2d743abfdce0f0038331867baaf7b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0b9d56feb91adc8094b38aa82bac3da
SHA1 d69423203070d4f77a01b4a15ed341f3b69bda67
SHA256 9ed87f6c9dbb13153e3855c493b551b0cbaa99eebf4eca525b25de8fa12e2b8b
SHA512 194504ae78c003c39f68643663875bbfbfe577a61d2f8d4c34e5156a37b0bf025e639627cbe9fc895790286401de58f1eee32a5553dcd86f15720aa96ae931d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b725e32398dab6160034b5c5cf1631d3
SHA1 637ff31e22d83ec3bfea60a2c99682485597140b
SHA256 b884f0baf590bb1b9b62ffca158d9e22dd0dc5db0b21ab8c9ddbfc51f6f4742b
SHA512 705a261125297b417c8da1844fa3cd7e35a7ac5988a33d75528ec44d2f24cd898f6e9b802e96e41d6b6881404327c3456548f760df140cf1544c9d3c232d89f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 272714a5f0eeeeb172a10683a3609d39
SHA1 42cdfe08e853c400d918377b6037b99a4f122584
SHA256 d72b5ccc51bf2cf2cd5bd839523220bd88c090e47e8fb1772ae07bae97bc6840
SHA512 ed8864118651bc62a203f9a788fa9f529708431d0807b058c64688ea58d1865d836516ce4b3938b3c9bc49011cbe96121bbe9361f809d4fa9dd511fc39519e39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3ca6dd31c4ef32740ac0f6a0c19d423
SHA1 fa637fa2e28651c01e503dfd805d9946aefce820
SHA256 5f3ff11c64f49c194c61ca50320d9b1945cf0e97dd99f98a70e51a682b8d23f7
SHA512 b94b40fc5ff4f6d19c4b153023b74e071bba4071e0caba2ed93075513bf4f6c43af31f96a637c21f5db3cb1cd4127a5f25db49f440621c4775ef6c2a2524f401

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9fb01b55af3d46b56f5637ad193ecfc2
SHA1 61d4351c66923747151d8247121a0929e9c14665
SHA256 2f77aa2d330cc432e9378d570128fd4c05b81ef491c4205426c366d774953b87
SHA512 7053fd627bc26448d5f719eb3df24d4805b161f905553ea202a0847f5d6d86fb70548e7219fd2aa8e948e163168e8eed339afe9e68317954468874e88a89f494

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26ffb07b6ecac86056df614db2be386f
SHA1 90226a7aab17c132848e348bcd0490b1ba9e1e77
SHA256 5fb02f9554761d867be34531b1f46f10156648061444be6aaf71efa1b0c5be67
SHA512 a29be37574021b852af1fb41960b913819ae3ac7d313493e7a54c97473339d0067e14fb18e43ea6d9358e71363a93b3c8dc40b8b9de3cd3fb774ac4f1736770f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad9e36e3ea5b4de7844853eaed42e7b2
SHA1 15488285060f0fdde8a8ea81be45234c4ba7e7fa
SHA256 9ba6ffd0b5af79a655dc47d0d52da2bc1775c9ea480973a3a601cfb20667a4f1
SHA512 aa77b154b3892e87270f9f403784b31dbed324aa66b67111f4aa0e5ea012f598dd124853db6510353dfaabb89ba88ef0271503089c32dbfdab94058500b85333

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dbb2df28ffd4c51bfd44412e1b52f892
SHA1 ebdd7d80d113390a22377d7290e80e693b58a148
SHA256 93962e6d8f35de87f9e470bbe33084b0823f46b604d0cd793e84db2c6a51d266
SHA512 0b040dbdbeb509f0356019685c6b72d281752c7c8db7df4c3e58377a12809fc8f6f07674442349f08a764f06915793a105c82196ea5b70b5d72d399e8fa3d733

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93f28275d492f09a5bff0586b364bd4e
SHA1 52046ad987bb80f00bff7c1db7138cf7432989fc
SHA256 eac8ab66457897007f84fdd2472e1c4e95fb1a7b4db1a31a4891ec95a04b3156
SHA512 ce5a77ebfd8bfeba9fd45ed28dd93678c4a958d8b1c171f7dc3608f17e924756b5db6a6074f4d12efeebad230862b285e91226d52dfc4e777c3cf318783c49c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f204b59369188cfbae9f4d6f27b0c8a4
SHA1 d6d5474cca78214a1429a92f7d1c3b48f199fde2
SHA256 911bec2e5124c310516690adb06cfea9129afdfdf97cb8ed62f8d68eeb2445a9
SHA512 f803839c0a10120dd44f7eaf8ac21b140a9bd3403e2dfeb499b2c710447b847135c57395d99810614fdb49be498a0320a5a0af6c2dd6c051586489f74f0a341f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29b1e55693bbc3c2a63506b749989df6
SHA1 d74dcf7b2b8090fe2f23ecb0ad08b28320d5e55f
SHA256 901fbe30f097393ec13510b01c5a1546476afb8bf964f8f54fcf41ff079cae4a
SHA512 9863d878a7cf7fbb0ae86cbd838561b0b8cd9fc89b4ac031bb9fe5b3662fb3efc183d133898fcb240dbf1d216f036c3bb63160f25d892e470f899c4a933691d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7a163fce96e9b138cd495c30f4e80b3
SHA1 02362f6a0f9f6ba3880b1b79371a57e95bcfc8c4
SHA256 deba72c3f7164b424c0f8f4abbf9f9291b4a81a64dea6c338824a0891195584b
SHA512 37dbbf6753759fa9eda90cd87ab922d9188f723e490a760b15f94995ee472d39cacf0db8bc7fa83ab954237bffd274780bff0d80c24b9cf1e8658597067c232c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 67707b72f23773e29e4d8aea48412c06
SHA1 63cd086cfa4d396f09ca8fb981e19592fab1d436
SHA256 e4323a134dede1a6c088c7a63e0bc5197d72b5f047cdf8354d7775f956f020e4
SHA512 9ec12d2218daedf7994532efab2a1b08622328846481bcdd90284560d6a57a2d9dfb39f1bb3a2d63f38c57e0c25937e92d339f17e2ea00794e4e113ee4ceef3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 17:29

Reported

2024-06-16 17:31

Platform

win10v2004-20240508-en

Max time kernel

122s

Max time network

133s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3712 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\fontdrvhost.exe
PID 3712 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\fontdrvhost.exe
PID 3712 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\dwm.exe
PID 3712 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\sihost.exe
PID 3712 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\svchost.exe
PID 3712 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\taskhostw.exe
PID 3712 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\Explorer.EXE
PID 3712 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\svchost.exe
PID 3712 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\DllHost.exe
PID 3712 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3712 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\System32\RuntimeBroker.exe
PID 3712 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3712 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\System32\RuntimeBroker.exe
PID 3712 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\System32\RuntimeBroker.exe
PID 3712 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3712 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3712 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3712 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\aspweb88.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 4716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 4716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 2524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 4748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 4748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aspweb88.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\aspweb88.exe

"C:\Users\Admin\AppData\Local\Temp\aspweb88.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://127.0.0.1:88/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff917ec46f8,0x7ff917ec4708,0x7ff917ec4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,9257174489152947831,12353266262562606813,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,9257174489152947831,12353266262562606813,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,9257174489152947831,12353266262562606813,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9257174489152947831,12353266262562606813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9257174489152947831,12353266262562606813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9257174489152947831,12353266262562606813,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9257174489152947831,12353266262562606813,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9257174489152947831,12353266262562606813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9257174489152947831,12353266262562606813,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9257174489152947831,12353266262562606813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9257174489152947831,12353266262562606813,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,9257174489152947831,12353266262562606813,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4700 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.netbox.cn udp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:88 tcp
N/A 127.0.0.1:88 tcp

Files

memory/3712-0-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/3712-1-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-3-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-6-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-13-0x00000000006A0000-0x00000000006A2000-memory.dmp

memory/3712-12-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-7-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-14-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-11-0x00000000006A0000-0x00000000006A2000-memory.dmp

memory/3712-5-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-4-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-10-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-9-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/3712-8-0x00000000006A0000-0x00000000006A2000-memory.dmp

memory/3712-15-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-19-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-20-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-21-0x0000000002430000-0x00000000034BE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 439b5e04ca18c7fb02cf406e6eb24167
SHA1 e0c5bb6216903934726e3570b7d63295b9d28987
SHA256 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512 d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

\??\pipe\LOCAL\crashpad_3520_IFPEKHILWOEYUTNN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a8e767fd33edd97d306efb6905f93252
SHA1 a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256 c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA512 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

memory/3712-37-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-40-0x0000000002430000-0x00000000034BE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7dd2c59ceb4ff5e81a0a4c26a8a50371
SHA1 3c923ed14d3db182371e77039ae7e383717fdc37
SHA256 0236eb046dd35f52fd11697296a70557abcb9d076473518942a5f6d8049aee2e
SHA512 6f24d0da7bb8e1ddf7ba5c9b5acfc22cfdbaa8395bc02da2df4f1b25b9617ab832aa538ac4c531e7fb4063c0a1f807503d0acdc86e282a1e79c32fd73826f029

memory/3712-50-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/3712-49-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-51-0x0000000002430000-0x00000000034BE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

memory/3712-72-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-73-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-75-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-81-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-83-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-86-0x0000000002430000-0x00000000034BE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 568b844f79c450017aea51e4595b21e6
SHA1 8cc5cf233115b0dcafac241e653a2bc5ef2cf8dd
SHA256 f13abfcced376d6cbbf7370560240fa7ad00ac2b38f1b1bf7463fe29409058a2
SHA512 2c1eb4ff141fc4bd376e5ee65f8f1e4b450579195a989634f8b0ab9cdda94398c2d69d393c96e39a5c2d8c680a22fce9a9e92a7b0a387c99c1fc65a96e534c8d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f4b3789dd7b8166dd7c7f3ccac1efb72
SHA1 a50b236c2ba092cdbbfe9b3ac6de614be955b2ef
SHA256 8d3fbc217e7fd0f1a35424de69b20950d01bdfd9d88a1a030f2658d0fb56f6de
SHA512 204fc9e38cff82ec9519fc4d115306b5cc294ffd40be8febd258c8362a167b9dddc33ab37ba18fb0488adc53801e4c3bd4bd4f5d9a90966010ab77cb29c02c16

memory/3712-102-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-104-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-107-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-110-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-111-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-112-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-114-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-116-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-119-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-126-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-128-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-129-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-133-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-134-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-136-0x0000000002430000-0x00000000034BE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ec5c003782efef6414df82748b8ea7ab
SHA1 841f6d040a67f9068998a60882e6ebe6f3a0a0a6
SHA256 b4925aa5faa715ae857446f5235389049260b753382e39b3b2c35c897a30c140
SHA512 b96c4233f902ae407cd2a3b3f4ce1f701d29483ee229c08705d56bbe28e829db86893a914a07bc634a2f850161f9d22efd1e2a8ccf3daf9a7c5f514c5edaad55

memory/3712-137-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-156-0x0000000002430000-0x00000000034BE000-memory.dmp

memory/3712-157-0x00000000006A0000-0x00000000006A2000-memory.dmp

F:\ilvppg.exe

MD5 dfa01ed47b932155f5225d1d2cd79ee0
SHA1 8db90f274b522664d2f3bf7a7559953722f5b088
SHA256 753a616e735e85f13760ec84e6e15a2429ba1750951dd9a4615488e9e10ef870
SHA512 8de6e93b15837c026e099b20b99cea273195f3657f41e56f242bb6f2b0fcd1bf0d95ca1b694657e322a0af216eaa42c0bbc40d67eeab0313ae7f1412ab51024e