Our software is dynamically compiled and signed for every different client installation which makes it difficult to keep whitelisted with certain vendors as every package is different. It also collects a tremendous amount of data when users submit tickets about their system. This includes optional screenshots of the last 20 actions the user took before they hit the help button (to recreate the problem steps.) as well as in depth diagnostics about the network, hardware, and software at the moment the button was pressed. All of this looks extremely suspicious to most antiviruses. Having said that most antiviruses will not flag us and if you do find the software being flagged, we can provide you with instructions on how to exempt it from your AV policy.

Suspicious registry key was created:

We do create several registry keys during install, including services and keys to allow the software to run at startup.

An obfuscated Command Prompt command was detected.

We use the PowerShell -EncodedCommand feature to run the update scripts.

Indirect command was executed.

We use the PowerShell -EncodedCommand feature to run the update scripts.

Code injection to a remote process, Code injection to other process memory space via Reflection, Library was injected to a remote process.

The PTTB.exe process injects code into the running shell32.dll thread. That shell32.dll thread running inside of explorer.exe is the only windows process that can pin a shortcut to the taskbar. (“PTTB” starnd for “Pin To TaskBar”). since shell32.dll is the only thig that is allowed to pin a item to the taskbar, we inject code into shell32.dll in-memory and execute it so that the request will be coming from that process. This is the only way to pin a shortcut to the taskbar in Windows 10 and 11

PowerShell execution policy was changed.

That one shouldn’t be persistent, we think it’s just complaining that we run PowerShell with the “-ExecutionPolicy Bypass” flag so that the installer/updates still work when PowerShell is restricted.

User logged on

This is just a process starting as the user “SYSTEM” to run the service

Application registered itself to become persistent via an autorun.

Yes, the process that collects the screenshots needs to run when the user logs in

Application registered itself to become persistent via service.

Yes, we install a windows service, like many applications.

Application registered itself to become persistent via scheduled task.

We have processes that need to run persistently.

Keylogger Installation

We use keyboard and mouse inputs to build the slideshows but these are not “logged”, they are just used to know when to take a screenshot.

A UPX packed process was detected, Process suspicious as packed:

Yes, we use pyinstaller to package the python scripts into executables:

Detected suspicious shellcode API call

Ssince shell32.dll is the only thig that is allowed to pin a item to the taskbar, we inject code into shell32.dll in-memory and execute it so that the request will be coming from that process. This is the only way to pin a shortcut to the taskbar in Windows 10 and 11