Malware Analysis Report

2024-09-11 12:18

Sample ID 240617-vjqzlszhrp
Target 599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe
SHA256 599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632
Tags
sality backdoor bootkit evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632

Threat Level: Known bad

The file 599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor bootkit evasion persistence trojan upx

Sality

Windows security bypass

Modifies firewall policy service

UAC bypass

UPX packed file

Deletes itself

Windows security modification

Checks whether UAC is enabled

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

System policy modification

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Replication Through Removable Media
T1091
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Replication Through Removable Media
T1091
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 17:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 17:01

Reported

2024-06-17 17:04

Platform

win7-20240508-en

Max time kernel

50s

Max time network

126s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened (read-only) \??\O: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3F94D361-2CCB-11EF-A9A6-4658C477BD5D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000d38b08ba00b33849bacbe6b9252e824e7f430627e13c9b565728e37dba19b69e000000000e800000000200002000000060737877868a5400ca1da745ead1b97cb358274601a289fdecae8c0d1e9a116c2000000039df8b72ec3c5ebd9320c661010ad644fe53b78601912685b5ec1b08cc5eb00240000000a3643fbc78c8b34b953dcf35de7575fc6d267c626e098f2b9dc9de07277a9e4a99cdb4e1aa86254d4d976f89e9c23bc665b0d384b7a28344e7bb9df14caafab1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000008f079794ce8b97afc97634a42822b97c822ca831ef1935ed5b0ae20ab7158082000000000e8000000002000020000000cd5a0f9574763f710e15daafd022ca72b4e55d661c921e1376dba0e64b632e2a900000000814860cf62cf5e2d69e5c724e967555bd5f501568081869153fcea6ba24a7c1ef8ac6d247f7823cef8b5a09f226963612bde7684cbe64394b7681789090ba369fbb03b5592eac36518e9fb881f19b39f85d7ff81a820359937f91a218aa731eb90631de93a3dd8287574e74d2369a50cd97f44ebd2569421ed838ccbf056cb7bff8f44525cc87b44f5439c92cabd35740000000f9369168498c4c32d9a8abb5ecb09194f1222e48d4d183b5b3e0dfbd03f6a1be472d888460cdb5c428ca1e2ea6b44a2ac7cbef0c9108fe2e5ebbd8dbee9a746d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0e5d114d8c0da01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\taskhost.exe
PID 1728 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\Dwm.exe
PID 1728 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\Explorer.EXE
PID 1728 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\DllHost.exe
PID 1728 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\SysWOW64\explorer.exe
PID 1728 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\SysWOW64\explorer.exe
PID 1728 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\SysWOW64\explorer.exe
PID 1728 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\SysWOW64\explorer.exe
PID 2624 wrote to memory of 2524 N/A C:\Windows\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2624 wrote to memory of 2524 N/A C:\Windows\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2624 wrote to memory of 2524 N/A C:\Windows\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2524 wrote to memory of 2980 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2524 wrote to memory of 2980 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2524 wrote to memory of 2980 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2524 wrote to memory of 2980 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1728 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\taskhost.exe
PID 1728 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\Dwm.exe
PID 1728 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\Explorer.EXE
PID 1728 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\DllHost.exe
PID 1728 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\explorer.exe
PID 1728 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1728 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1728 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1728 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\taskhost.exe
PID 1728 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\Dwm.exe
PID 1728 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\Explorer.EXE
PID 1728 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\DllHost.exe
PID 1728 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\explorer.exe
PID 1728 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2980 wrote to memory of 1116 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Windows\system32\taskhost.exe
PID 2980 wrote to memory of 1172 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Windows\system32\Dwm.exe
PID 2980 wrote to memory of 1208 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 1756 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Windows\system32\DllHost.exe
PID 2980 wrote to memory of 2624 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Windows\explorer.exe
PID 2980 wrote to memory of 2524 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2980 wrote to memory of 1116 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Windows\system32\taskhost.exe
PID 2980 wrote to memory of 1172 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Windows\system32\Dwm.exe
PID 2980 wrote to memory of 1208 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Windows\Explorer.EXE
PID 2980 wrote to memory of 1756 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Windows\system32\DllHost.exe
PID 2980 wrote to memory of 2624 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Windows\explorer.exe
PID 2980 wrote to memory of 2524 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\iexplore.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe

"C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe "http://localhost:80"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://localhost/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2524 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp

Files

memory/1728-0-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/1728-8-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-3-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-5-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-10-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-9-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-7-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-4-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-11-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-6-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-13-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-26-0x00000000002D0000-0x00000000002D2000-memory.dmp

memory/1728-25-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1728-23-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1728-22-0x00000000002D0000-0x00000000002D2000-memory.dmp

memory/1116-14-0x0000000002070000-0x0000000002072000-memory.dmp

memory/1728-12-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-29-0x0000000075920000-0x0000000075921000-memory.dmp

memory/1728-30-0x0000000075910000-0x0000000075A00000-memory.dmp

memory/1728-31-0x0000000075910000-0x0000000075A00000-memory.dmp

memory/1728-32-0x0000000075910000-0x0000000075A00000-memory.dmp

memory/1728-34-0x0000000075910000-0x0000000075A00000-memory.dmp

memory/1728-35-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-36-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-37-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-47-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-48-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-49-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-51-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-53-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-55-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-56-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-57-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/1728-76-0x0000000004D40000-0x0000000004D42000-memory.dmp

memory/1728-73-0x0000000006360000-0x0000000006361000-memory.dmp

memory/1728-77-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-79-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-80-0x0000000075910000-0x0000000075A00000-memory.dmp

memory/1728-83-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-90-0x00000000002D0000-0x00000000002D2000-memory.dmp

memory/1728-112-0x0000000075910000-0x0000000075A00000-memory.dmp

memory/1728-139-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/1728-140-0x0000000075910000-0x0000000075A00000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 fae003797d2120545e9ec3d0e768eb75
SHA1 d4c0f6af4f163c9cc935da61425779f0ec7a653b
SHA256 a7e01b09e916a5bf2cc27afe5a57e4124cd2b74d0449bdd4f8c534fc20991851
SHA512 35c4e33376d7e7e4790b8ff39c3dc9941bfd4435aafe09573e2962eadd3a22aa008783c885df9971dd644c34763369a2227165461edefaf3120ba59555da63e4

C:\Users\Admin\AppData\Local\Temp\0F7622CC_Rar\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe

MD5 4b7fdcc9f207e2fcd1227b0f58f2631f
SHA1 f4fef2e3d310494a3c3962a49c7c5a9ea072b2ea
SHA256 12407535426bc2951f8f462cc0ffba79763de8a5fc1ee42a532b804263771e00
SHA512 5a9f9f8d7e685fb10ba3f464cffd3178218a51749fde054071aa03fb04915ae3257538abbe8608ad134fb0319d3a43f19281253839053d85990b9518cd916bf1

C:\Users\Admin\AppData\Local\Temp\ridhg.exe

MD5 25aa9bb549ecc7bb6100f8d179452508
SHA1 a3bea5e2138d1558109fa26d46e2f79c3a20228f
SHA256 df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c
SHA512 12e26fa999faf2ca017a49987be5c668930495c26c789e19863097e5b0555add90ecdbb397521436acb47d7f2dfd5029b9b4beed16877ac7df854b3321642e37

C:\umlmww.pif

MD5 fb3cd54ce9e6843b6e87a19d08d10172
SHA1 07870d02a68608f305d006d0c2bf72beee7d753c
SHA256 88f8cadc3cdf943c2f9bb624303183f01c72649bd0ba9de830297916130e4447
SHA512 285366583127937ad65cc0ee2dcb9845f7206b396dc337fbea9b7c146b2b622ec3f881a1946072c4e0798ea064679f5dcab5cb41e5be17b6bad653b4d324d44a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 17:01

Reported

2024-06-17 17:04

Platform

win10v2004-20240611-en

Max time kernel

122s

Max time network

135s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3604 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\fontdrvhost.exe
PID 3604 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\fontdrvhost.exe
PID 3604 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\dwm.exe
PID 3604 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\sihost.exe
PID 3604 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\svchost.exe
PID 3604 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\taskhostw.exe
PID 3604 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\Explorer.EXE
PID 3604 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\svchost.exe
PID 3604 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\DllHost.exe
PID 3604 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3604 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\System32\RuntimeBroker.exe
PID 3604 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3604 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\System32\RuntimeBroker.exe
PID 3604 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3604 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\System32\RuntimeBroker.exe
PID 3604 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3604 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3604 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\SysWOW64\explorer.exe
PID 3604 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\SysWOW64\explorer.exe
PID 3604 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe C:\Windows\SysWOW64\explorer.exe
PID 408 wrote to memory of 5052 N/A C:\Windows\explorer.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 408 wrote to memory of 5052 N/A C:\Windows\explorer.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe

"C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SysWOW64\explorer.exe

explorer.exe "http://localhost:80"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedf2146f8,0x7ffedf214708,0x7ffedf214718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,5032905861690367349,11024042476546199413,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,5032905861690367349,11024042476546199413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,5032905861690367349,11024042476546199413,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5032905861690367349,11024042476546199413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5032905861690367349,11024042476546199413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,5032905861690367349,11024042476546199413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,5032905861690367349,11024042476546199413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5032905861690367349,11024042476546199413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5032905861690367349,11024042476546199413,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5032905861690367349,11024042476546199413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5032905861690367349,11024042476546199413,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,5032905861690367349,11024042476546199413,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2540 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.netbox.cn udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 200.83.221.88.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/3604-0-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/3604-3-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-6-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-8-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-11-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

memory/3604-10-0x0000000000670000-0x0000000000672000-memory.dmp

memory/3604-5-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-7-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-1-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-13-0x0000000000670000-0x0000000000672000-memory.dmp

memory/3604-9-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-15-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-12-0x0000000000670000-0x0000000000672000-memory.dmp

memory/3604-14-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-19-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-20-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-21-0x0000000002390000-0x000000000341E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b704c9ca0493bd4548ac9c69dc4a4f27
SHA1 a3e5e54e630dabe55ca18a798d9f5681e0620ba7
SHA256 2ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411
SHA512 69c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32

\??\pipe\LOCAL\crashpad_5052_IRCYSWDUJZVAHODU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 477462b6ad8eaaf8d38f5e3a4daf17b0
SHA1 86174e670c44767c08a39cc2a53c09c318326201
SHA256 e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d
SHA512 a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e

memory/3604-37-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-38-0x0000000002390000-0x000000000341E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6f4acbce797e512118568af05e05139c
SHA1 906bfcea1ad9bbf43bbf56ea8477b689902b70d1
SHA256 62f1ee2501399709463e5644fc07a70226719f87073573585e6fa21514bd2315
SHA512 282c9fa48cf87ae23e05606b6429c87005fee7ee68e083bf829b9ee70f953a9debfc18d18924970ca0f4ba6cac8304f7f2de01727c0d0d9c20515792f15eea98

memory/3604-49-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-50-0x0000000002390000-0x000000000341E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/3604-58-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-59-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-63-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/3604-64-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-70-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-72-0x0000000002390000-0x000000000341E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 071e81e8275487d5b2651e1bcfa48ee7
SHA1 136574f47a24dee33a5c044b6123cbd2803ed557
SHA256 ba5dff1213578fee126210aa1e4f8a41bb04b628bc9525f47e2836af063b88cb
SHA512 1c292dedb5744afc5ec208a941100cb0e10070c35e07d3ae6b5bbb0f9db89b8f3e484289efd0a90eb5f8ffcc7d5b44006b226852a0e78c7d968c46b64f19dd59

memory/3604-80-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-81-0x0000000002390000-0x000000000341E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bf1ce09d88338c3979213df907989bb9
SHA1 7ea48ec082a000501099c2c5b089cec069966daa
SHA256 7cc9775e6e48f33dae53e57690a066218f8b5c3d663b571fca1feb9da5d1c1e4
SHA512 11120aa6d396b385900c1ace55cf8d6537b0ad4766bcc8e537841c2c677ccc816690bffa631aa693ed37ae7c7a67791ccaf4a1c352345e5ee90c11629b388ac9

memory/3604-92-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-93-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-94-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-98-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-100-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-102-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-103-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-105-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-107-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-114-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-115-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-117-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-119-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-120-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-122-0x0000000002390000-0x000000000341E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8ebc614be7b4da8f18cf3beb1f20cf9c
SHA1 c0ba938ded2f994087443c67bf74122d6858a6e1
SHA256 88bc9aad498cbbed7a2b5544c3a51fa0ceb103b2af2cd30085c9094558cee00d
SHA512 8f859f39db48d11245bba2c23e904c4da84c147f70ee114ca4ee21aa07815a1fdea08e892a409e13d6d7b314db652cc9361882a09a07a5b830715a3d32c510c3

memory/3604-143-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-144-0x0000000002390000-0x000000000341E000-memory.dmp

memory/3604-145-0x0000000000670000-0x0000000000672000-memory.dmp

F:\iown.exe

MD5 416d1e8e86e76c54e1dd80032aff9114
SHA1 e6fad4f71676438639a2d40bbf250a0485180d0d
SHA256 b3c1a9606e038a980ee4deb25a6f1c6c2d29fae385bc2444c250e70ea601b4ce
SHA512 acaddc621a891f631d56ad36cb025f55ad7ef59886a326de947a7bd87b09ed5afb10e4cf6e340867ed2c93e44251e5dd8b1a593e88958bb060ace570fc18d1c9