Edit tour

Windows Analysis Report
Legjong.exe

Overview

General Information

Sample name:	Legjong.exe
Analysis ID:	1632519
MD5:	6a8d21f20ec24fb72ce8fc471d3b9bd4
SHA1:	abd319d362802887c8a8594b926d8977e860e43f
SHA256:	186378c4ae0e7c3a2065aa6a2cd667978c93e6895bf5ddbb2c4b1dcfb96876e1
Tags:	exeuser-2huMarisa
Infos:

Detection

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to disable the Task Manager (.Net Source)

Disable Task Manager(disabletaskmgr)

Disables the Windows registry editor (regedit)

Disables the Windows task manager (taskmgr)

Infects the VBR (Volume Boot Record) of the hard disk

Joe Sandbox ML detected suspicious sample

Modifies Group Policy settings

Protects its processes via BreakOnTermination flag

Uses cmd line tools excessively to alter registry or file data

Writes directly to the primary disk partition (DR0)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains functionality to simulate mouse events

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses reg.exe to modify the Windows registry

Classification

Process Tree

System is w10x64

Legjong.exe (PID: 7628 cmdline: "C:\Users\user\Desktop\Legjong.exe" MD5: 6A8D21F20EC24FB72CE8FC471D3B9BD4)

conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

legjong.exe (PID: 7724 cmdline: "C:\Users\user\AppData\Local\Temp\legjong.exe" MD5: 8A0FE5AFC55DB4DFC9A5FA83B41E1474)

cmd.exe (PID: 7972 cmdline: "cmd.exe" /C reg delete HKCR /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 8112 cmdline: reg delete HKCR /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 7980 cmdline: "cmd.exe" /C reg delete HKU /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 8104 cmdline: reg delete HKU /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 7988 cmdline: "cmd.exe" /C reg delete HKCC /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 8096 cmdline: reg delete HKCC /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

msconfig.exe (PID: 8212 cmdline: "C:\Windows\System32\msconfig.exe" MD5: 39009536CAFE30C6EF2501FE46C9DF5E)

tabcal.exe (PID: 8244 cmdline: "C:\Windows\System32\tabcal.exe" MD5: 40F4014416FF0CBF92A9509F67A69754)

mmc.exe (PID: 8292 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\System32\DevModeRunAsUserConfig.msc" MD5: 58C9E5172C3708A6971CA0CBC80FE8B8)

sethc.exe (PID: 8684 cmdline: "C:\Windows\System32\sethc.exe" MD5: 8BA3A9702A3F1799431CAD6A290223A6)

sigverif.exe (PID: 8712 cmdline: "C:\Windows\System32\sigverif.exe" MD5: 2151A535274B53BA8A728E542CBC07A8)

attrib.exe (PID: 8888 cmdline: "C:\Windows\System32\attrib.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

conhost.exe (PID: 8900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sppsvc.exe (PID: 8944 cmdline: "C:\Windows\System32\sppsvc.exe" MD5: 320823F03672CEB82CC3A169989ABD12)

MicrosoftEdgeCP.exe (PID: 8972 cmdline: "C:\Windows\System32\MicrosoftEdgeCP.exe" MD5: 1472361DB9BC28F6C4CB327FE5E35393)

PrintBrmUi.exe (PID: 7796 cmdline: "C:\Windows\System32\PrintBrmUi.exe" MD5: DE8E119720F0210DEB0898A78AA59F1E)

DeviceEject.exe (PID: 8128 cmdline: "C:\Windows\System32\DeviceEject.exe" MD5: ABCCD41E21586BB8A669E9B2F04CB65E)

RMActivate_ssp.exe (PID: 8344 cmdline: "C:\Windows\System32\RMActivate_ssp.exe" MD5: BD0286D43F3BBE29B80A69383AE998CF)

conhost.exe (PID: 3032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

GameBarPresenceWriter.exe (PID: 8388 cmdline: "C:\Windows\System32\GameBarPresenceWriter.exe" MD5: 844ACA5CF399BB64E3577360A423E7D8)

diskpart.exe (PID: 8792 cmdline: "C:\Windows\System32\diskpart.exe" MD5: 2D41524191D61538A59D5B03E4ECD8AB)

conhost.exe (PID: 8828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chglogon.exe (PID: 2132 cmdline: "C:\Windows\System32\chglogon.exe" MD5: 96C637283D92573C121B34513C267987)

conhost.exe (PID: 1872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

OpenWith.exe (PID: 2304 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

OpenWith.exe (PID: 8364 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

OpenWith.exe (PID: 8504 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

OpenWith.exe (PID: 9124 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

OpenWith.exe (PID: 8120 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

OpenWith.exe (PID: 8488 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

OpenWith.exe (PID: 8672 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Legjong.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\legjong.exe

Avira: detection malicious, Label: TR/AD.Nekark.apwve

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\legjong.exe

ReversingLabs: Detection: 62%

Multi AV Scanner detection for submitted file

Source: Legjong.exe	ReversingLabs: Detection: 57%
Source: Legjong.exe	Virustotal: Detection: 68%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.4% probability

Source: Legjong.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Hanii Files\unsafe\Malipune\legjong_launcher\obj\Release\Legjong.pdb source: Legjong.exe
Source:	Binary string: C:\projects\sharpgl\source\SharpGL\Core\SharpGL\obj\Release\net40\SharpGL.pdbSHA256 source: Legjong.exe, SharpGL.dll.0.dr
Source:	Binary string: D:\Hanii Files\unsafe\Malipune\legjong\obj\Release\legjong.pdb source: Legjong.exe, legjong.exe.0.dr
Source:	Binary string: C:\projects\sharpgl\source\SharpGL\Core\SharpGL.SceneGraph\obj\Release\net40\SharpGL.SceneGraph.pdb source: Legjong.exe, SharpGL.SceneGraph.dll.0.dr
Source:	Binary string: C:\projects\sharpgl\source\SharpGL\Core\SharpGL.SceneGraph\obj\Release\net40\SharpGL.SceneGraph.pdbSHA256 source: Legjong.exe, SharpGL.SceneGraph.dll.0.dr
Source:	Binary string: D:\Hanii Files\unsafe\Malipune\legjong_launcher\obj\Release\Legjong.pdb< source: Legjong.exe
Source:	Binary string: C:\projects\sharpgl\source\SharpGL\Core\SharpGL\obj\Release\net40\SharpGL.pdb source: Legjong.exe, SharpGL.dll.0.dr

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: legjong.exe, 00000002.00000002.1793640225.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 7https://www.facebook.com/profile.php?id=100058036710031 equals www.facebook.com (Facebook)
Source: Legjong.exe, legjong.exe.0.dr	String found in binary or memory: runas#reg delete HKU /f%reg delete HKCC /f#\\.\PhysicalDriveohttps://www.facebook.com/profile.php?id=100058036710031 equals www.facebook.com (Facebook)

Source: global traffic

DNS traffic detected: DNS query: c.pki.goog

Source: mmc.exe, 0000001B.00000002.1828915384.000000001F470000.00000004.00000020.00020000.00000000.sdmp, mmc.exe, 0000001B.00000002.1828915384.000000001F44D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://localhost:8080/URLs.html
Source: mmc.exe, 0000001B.00000002.1829554152.000000001F49B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://myserver.corp.contoso.com/
Source: mmc.exe, 0000001B.00000002.1830882175.000000001F547000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.company.com/printers.
Source: mmc.exe, 0000001B.00000002.1815138464.000000001E66B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.contoso.com
Source: mmc.exe, 0000001B.00000002.1815138464.000000001E66B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.contoso.com.
Source: mmc.exe, 0000001B.00000002.1815138464.000000001E66B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.contoso.com/U
Source: mmc.exe, 0000001B.00000002.1815138464.000000001E66B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.contoso.com/yed
Source: mmc.exe, 0000001B.00000002.1828915384.000000001F470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/E489vw).
Source: mmc.exe, 0000001B.00000002.1815138464.000000001E66B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://localhost:8080/Config.xml

Source: C:\Windows\System32\mmc.exe

Window created: window name: CLIPBRDWNDCLASS

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\legjong.exe

Process information set: 01 00 00 00

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Code function: 2_2_00007FFC3DE40E6D NtSetInformationProcess,		2_2_00007FFC3DE40E6D
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Code function: 2_2_00007FFC3DE41D5D NtSetInformationProcess,		2_2_00007FFC3DE41D5D

Source: C:\Windows\System32\mmc.exe	File created: C:\Windows\System32\GroupPolicy\gpt.ini
Source: C:\Windows\System32\mmc.exe	File created: C:\Windows\System32\GroupPolicy\Machine
Source: C:\Windows\System32\mmc.exe	File created: C:\Windows\System32\GroupPolicy\User

Source: SharpGL.dll.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: Legjong.exe, 00000000.00000000.1176394873.00000000009F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSharpGL.dll0 vs Legjong.exe
Source: Legjong.exe, 00000000.00000000.1176394873.00000000009F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSharpGL.SceneGraph.dllF vs Legjong.exe
Source: Legjong.exe, 00000000.00000002.1186840746.0000000012DD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSharpGL.dll0 vs Legjong.exe
Source: Legjong.exe, 00000000.00000002.1186840746.0000000012DD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSharpGL.SceneGraph.dllF vs Legjong.exe
Source: Legjong.exe	Binary or memory string: OriginalFilenameSharpGL.dll0 vs Legjong.exe
Source: Legjong.exe	Binary or memory string: OriginalFilenameSharpGL.SceneGraph.dllF vs Legjong.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg delete HKCC /f

Source: legjong.exe.0.dr, Program.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: legjong.exe.0.dr, Program.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Legjong.exe.2ddd880.2.raw.unpack, Program.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Legjong.exe.2ddd880.2.raw.unpack, Program.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.Legjong.exe.2ddd880.2.raw.unpack, Program.cs	Suspicious method names: .sendtextslow.PayloadSetText
Source: 0.2.Legjong.exe.2ddd880.2.raw.unpack, Program.cs	Suspicious method names: .sendtext.PayloadSetText
Source: legjong.exe.0.dr, Program.cs	Suspicious method names: .sendtextslow.PayloadSetText
Source: legjong.exe.0.dr, Program.cs	Suspicious method names: .sendtext.PayloadSetText

Source: classification engine

Classification label: mal100.evad.winEXE@98/13@1/0

Source: C:\Users\user\Desktop\Legjong.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Legjong.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
Source: C:\Windows\System32\mmc.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8004:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8488:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8900:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9124:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03
Source: C:\Windows\System32\tabcal.exe	Mutant created: \Sessions\1\BaseNamedObjects\TabCalSingleInstance
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1872:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3032:120:WilError_03

Source: C:\Users\user\Desktop\Legjong.exe

File created: C:\Users\user\AppData\Local\Temp\SharpGL.dll

Jump to behavior

Source: Legjong.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Legjong.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Legjong.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Legjong.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Legjong.exe	ReversingLabs: Detection: 57%
Source: Legjong.exe	Virustotal: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\Legjong.exe "C:\Users\user\Desktop\Legjong.exe"
Source: C:\Users\user\Desktop\Legjong.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Legjong.exe	Process created: C:\Users\user\AppData\Local\Temp\legjong.exe "C:\Users\user\AppData\Local\Temp\legjong.exe"
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C reg delete HKCR /f
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C reg delete HKU /f
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C reg delete HKCC /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete HKCC /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete HKU /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete HKCR /f
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\msconfig.exe "C:\Windows\System32\msconfig.exe"
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\tabcal.exe "C:\Windows\System32\tabcal.exe"
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\DevModeRunAsUserConfig.msc"
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\sethc.exe "C:\Windows\System32\sethc.exe"
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\sigverif.exe "C:\Windows\System32\sigverif.exe"
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\attrib.exe "C:\Windows\System32\attrib.exe"
Source: C:\Windows\System32\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\sppsvc.exe "C:\Windows\System32\sppsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\MicrosoftEdgeCP.exe "C:\Windows\System32\MicrosoftEdgeCP.exe"
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\PrintBrmUi.exe "C:\Windows\System32\PrintBrmUi.exe"
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\DeviceEject.exe "C:\Windows\System32\DeviceEject.exe"
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\RMActivate_ssp.exe "C:\Windows\System32\RMActivate_ssp.exe"
Source: C:\Windows\System32\RMActivate_ssp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\GameBarPresenceWriter.exe "C:\Windows\System32\GameBarPresenceWriter.exe"
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\diskpart.exe "C:\Windows\System32\diskpart.exe"
Source: C:\Windows\System32\diskpart.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\chglogon.exe "C:\Windows\System32\chglogon.exe"
Source: C:\Windows\System32\chglogon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Legjong.exe	Process created: C:\Users\user\AppData\Local\Temp\legjong.exe "C:\Users\user\AppData\Local\Temp\legjong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C reg delete HKCR /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C reg delete HKU /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C reg delete HKCC /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\msconfig.exe "C:\Windows\System32\msconfig.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\tabcal.exe "C:\Windows\System32\tabcal.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\DevModeRunAsUserConfig.msc"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\sethc.exe "C:\Windows\System32\sethc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\sigverif.exe "C:\Windows\System32\sigverif.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\attrib.exe "C:\Windows\System32\attrib.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\sppsvc.exe "C:\Windows\System32\sppsvc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\MicrosoftEdgeCP.exe "C:\Windows\System32\MicrosoftEdgeCP.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\PrintBrmUi.exe "C:\Windows\System32\PrintBrmUi.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\DeviceEject.exe "C:\Windows\System32\DeviceEject.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\RMActivate_ssp.exe "C:\Windows\System32\RMActivate_ssp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\GameBarPresenceWriter.exe "C:\Windows\System32\GameBarPresenceWriter.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\diskpart.exe "C:\Windows\System32\diskpart.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\chglogon.exe "C:\Windows\System32\chglogon.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete HKCR /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete HKU /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete HKCC /f	Jump to behavior

Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: twinui.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\tabcal.exe	Section loaded: hid.dll
Source: C:\Windows\System32\tabcal.exe	Section loaded: ninput.dll
Source: C:\Windows\System32\tabcal.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\tabcal.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\tabcal.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\tabcal.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: acgenral.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ninput.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcndmgr.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dot3gpui.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: l2gpstore.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: onex.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: authfwgp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: nlmgp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: wlangpui.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: certmgr.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: certca.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: certenroll.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptui.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: aclui.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: slc.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dsparse.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: wsecedit.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: scecli.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: gpedit.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dssec.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dsuiext.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: authz.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: srpuxnativesnapin.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ipsecsnp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: auditnativesnapin.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: atlthunk.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ieframe.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: admtmpl.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mswb7.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: jscript9.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll

Source: C:\Users\user\Desktop\Legjong.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mmc.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Source: C:\Windows\System32\msconfig.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\msconfig.exe

Window detected: Number of UI elements: 32

Source: C:\Users\user\Desktop\Legjong.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Legjong.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Legjong.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Legjong.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Hanii Files\unsafe\Malipune\legjong_launcher\obj\Release\Legjong.pdb source: Legjong.exe
Source:	Binary string: C:\projects\sharpgl\source\SharpGL\Core\SharpGL\obj\Release\net40\SharpGL.pdbSHA256 source: Legjong.exe, SharpGL.dll.0.dr
Source:	Binary string: D:\Hanii Files\unsafe\Malipune\legjong\obj\Release\legjong.pdb source: Legjong.exe, legjong.exe.0.dr
Source:	Binary string: C:\projects\sharpgl\source\SharpGL\Core\SharpGL.SceneGraph\obj\Release\net40\SharpGL.SceneGraph.pdb source: Legjong.exe, SharpGL.SceneGraph.dll.0.dr
Source:	Binary string: C:\projects\sharpgl\source\SharpGL\Core\SharpGL.SceneGraph\obj\Release\net40\SharpGL.SceneGraph.pdbSHA256 source: Legjong.exe, SharpGL.SceneGraph.dll.0.dr
Source:	Binary string: D:\Hanii Files\unsafe\Malipune\legjong_launcher\obj\Release\Legjong.pdb< source: Legjong.exe
Source:	Binary string: C:\projects\sharpgl\source\SharpGL\Core\SharpGL\obj\Release\net40\SharpGL.pdb source: Legjong.exe, SharpGL.dll.0.dr

Source: Legjong.exe

Static PE information: 0x87603DAB [Sat Dec 21 09:36:43 2041 UTC]

Persistence and Installation Behavior

Infects the VBR (Volume Boot Record) of the hard disk

Source: C:\Users\user\AppData\Local\Temp\legjong.exe

File written: \Device\Harddisk0\DR0 offset: 512

Jump to behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior

Writes directly to the primary disk partition (DR0)

Source: C:\Users\user\AppData\Local\Temp\legjong.exe

File written: \Device\Harddisk0\DR0 offset: 512 length: 512

Jump to behavior

Source: C:\Users\user\Desktop\Legjong.exe	File created: C:\Users\user\AppData\Local\Temp\SharpGL.SceneGraph.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Legjong.exe	File created: C:\Users\user\AppData\Local\Temp\SharpGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Legjong.exe	File created: C:\Users\user\AppData\Local\Temp\legjong.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msconfig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\Legjong.exe	Memory allocated: 11B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Legjong.exe	Memory allocated: 1ADD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Memory allocated: FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Memory allocated: 1AA80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Memory allocated: 52F0000 memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 5720000 memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 1DAD0000 memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 1ECA0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 1ED60000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 1EDE0000 memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 1EE10000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Legjong.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\mmc.exe

Window / User API: threadDelayed 960

Source: C:\Users\user\Desktop\Legjong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\SharpGL.SceneGraph.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Legjong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\SharpGL.dll			Jump to dropped file

Source: C:\Users\user\Desktop\Legjong.exe TID: 7688	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -58877s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -58311s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -56255s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -48787s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -47277s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -31065s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -48636s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -57937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -55812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -32697s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -41670s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -52959s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -52641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -32435s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -31532s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -53506s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -55159s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -45329s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -52707s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -43273s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -52357s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -32786s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -38915s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -58953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -41022s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -45531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -55027s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -54742s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -47052s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -50094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -34821s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -50234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -34292s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -31082s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -43696s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -34523s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -45932s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -33355s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -44966s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -45673s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -39722s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -33811s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -54570s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -47792s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -32129s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -58493s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -57820s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -45426s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -40150s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -31896s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -33744s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe TID: 3432	Thread sleep time: -52004s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\legjong.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Legjong.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 58877	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 58311	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 56255	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 48787	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 47277	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 31065	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 48636	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 57937	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 55812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 32697	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 41670	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 52959	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 52641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 32435	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 31532	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 53506	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 55159	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 45329	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 52707	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 43273	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 52357	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 32786	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 38915	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 58953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 41022	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 45531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 55027	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 54742	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 47052	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 50094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 34821	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 50234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 34292	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 31082	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 43696	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 34523	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 45932	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 33355	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 44966	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 45673	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 39722	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 33811	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 54570	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 47792	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 32129	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 58493	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 57820	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 45426	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 40150	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 31896	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 33744	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Thread delayed: delay time: 52004	Jump to behavior

Source: msconfig.exe, 00000019.00000002.1790118364.0000022E29FEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --Hyper-V Remote Desktop Virtualization Service
Source: msconfig.exe, 00000019.00000002.1790118364.0000022E29FEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $$Hyper-V Time Synchronization Servicec
Source: msconfig.exe, 00000019.00000002.1790118364.0000022E29FEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Servicel
Source: msconfig.exe, 00000019.00000002.1777942522.0000022E261BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: diskpart.exe, 0000002F.00000002.1780080382.0000017244712000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk SCSI Disk DeviceLMEMPX
Source: msconfig.exe, 00000019.00000002.1790118364.0000022E29FEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service InterfaceName9
Source: mmc.exe, 0000001B.00000002.1815138464.000000001E66B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering.
Source: msconfig.exe, 00000019.00000002.1777942522.0000022E261BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: msconfig.exe, 00000019.00000002.1777942522.0000022E261BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: msconfig.exe, 00000019.00000002.1777942522.0000022E261BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service{
Source: msconfig.exe, 00000019.00000002.1790118364.0000022E29FEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: !!Hyper-V PowerShell Direct Serviceme
Source: msconfig.exe, 00000019.00000002.1777942522.0000022E261BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface

Source: C:\Users\user\AppData\Local\Temp\legjong.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Legjong.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\legjong.exe

Code function: 2_2_00007FFC3DE455D9 mouse_event,

2_2_00007FFC3DE455D9

Source: C:\Users\user\Desktop\Legjong.exe	Process created: C:\Users\user\AppData\Local\Temp\legjong.exe "C:\Users\user\AppData\Local\Temp\legjong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C reg delete HKCR /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C reg delete HKU /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C reg delete HKCC /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\msconfig.exe "C:\Windows\System32\msconfig.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\tabcal.exe "C:\Windows\System32\tabcal.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\DevModeRunAsUserConfig.msc"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\sethc.exe "C:\Windows\System32\sethc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\sigverif.exe "C:\Windows\System32\sigverif.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\attrib.exe "C:\Windows\System32\attrib.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\sppsvc.exe "C:\Windows\System32\sppsvc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\MicrosoftEdgeCP.exe "C:\Windows\System32\MicrosoftEdgeCP.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\PrintBrmUi.exe "C:\Windows\System32\PrintBrmUi.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\DeviceEject.exe "C:\Windows\System32\DeviceEject.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\RMActivate_ssp.exe "C:\Windows\System32\RMActivate_ssp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\GameBarPresenceWriter.exe "C:\Windows\System32\GameBarPresenceWriter.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\diskpart.exe "C:\Windows\System32\diskpart.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: C:\Windows\System32\chglogon.exe "C:\Windows\System32\chglogon.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete HKCR /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete HKU /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete HKCC /f	Jump to behavior

Source: Legjong.exe, legjong.exe.0.dr	Binary or memory string: Shell_TrayWnd
Source: legjong.exe, 00000002.00000002.1793640225.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndHB>

Source: C:\Users\user\Desktop\Legjong.exe	Queries volume information: C:\Users\user\Desktop\Legjong.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\legjong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\legjong.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.GroupPolicy.AdmTmplEditor.dll VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\legjong.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Contains functionality to disable the Task Manager (.Net Source)

Source: legjong.exe.0.dr, Program.cs	.Net Code: Start
Source: 0.2.Legjong.exe.2ddd880.2.raw.unpack, Program.cs	.Net Code: Start

Disable Task Manager(disabletaskmgr)

Source: C:\Users\user\AppData\Local\Temp\legjong.exe

Registry value created: DisableTaskMgr 1

Jump to behavior

Disables the Windows registry editor (regedit)

Source: C:\Users\user\AppData\Local\Temp\legjong.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools

Jump to behavior

Disables the Windows task manager (taskmgr)

Source: C:\Users\user\AppData\Local\Temp\legjong.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Jump to behavior

Modifies Group Policy settings

Source: C:\Windows\System32\mmc.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	2 Bootkit	12 Process Injection	11 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Clipboard Data	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	51 Disable or Modify Tools	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	41 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Process Injection	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Bootkit	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
Legjong.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Legjong.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Legjong.exe