Malware Analysis Report

2025-08-05 19:38

Sample ID 240229-kr7xzscb83
Target Packed.Win32.Salpack.e-772bc15d59c40acded6aeea0d63e081f3885dad1e3729a1dbd733c90fad8ea31
SHA256 772bc15d59c40acded6aeea0d63e081f3885dad1e3729a1dbd733c90fad8ea31
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

772bc15d59c40acded6aeea0d63e081f3885dad1e3729a1dbd733c90fad8ea31

Threat Level: Known bad

The file Packed.Win32.Salpack.e-772bc15d59c40acded6aeea0d63e081f3885dad1e3729a1dbd733c90fad8ea31 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

Modifies firewall policy service

UAC bypass

Windows security bypass

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

Windows security modification

Loads dropped DLL

Executes dropped EXE

UPX packed file

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 08:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 08:51

Reported

2024-02-29 08:53

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f767983 C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767790.exe
PID 2076 wrote to memory of 2696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767790.exe
PID 2076 wrote to memory of 2696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767790.exe
PID 2076 wrote to memory of 2696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767790.exe
PID 2696 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe C:\Windows\system32\taskhost.exe
PID 2696 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe C:\Windows\system32\Dwm.exe
PID 2696 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe C:\Windows\system32\DllHost.exe
PID 2696 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe C:\Windows\system32\rundll32.exe
PID 2696 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe C:\Windows\SysWOW64\rundll32.exe
PID 2696 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767de7.exe
PID 2076 wrote to memory of 2752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767de7.exe
PID 2076 wrote to memory of 2752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767de7.exe
PID 2076 wrote to memory of 2752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767de7.exe
PID 2076 wrote to memory of 328 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769203.exe
PID 2076 wrote to memory of 328 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769203.exe
PID 2076 wrote to memory of 328 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769203.exe
PID 2076 wrote to memory of 328 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769203.exe
PID 2696 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe C:\Windows\system32\taskhost.exe
PID 2696 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe C:\Windows\system32\Dwm.exe
PID 2696 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe C:\Users\Admin\AppData\Local\Temp\f767de7.exe
PID 2696 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe C:\Users\Admin\AppData\Local\Temp\f767de7.exe
PID 2696 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe C:\Users\Admin\AppData\Local\Temp\f769203.exe
PID 2696 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\f767790.exe C:\Users\Admin\AppData\Local\Temp\f769203.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767790.exe N/A

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Packed.Win32.Salpack.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Packed.Win32.Salpack.dll,#1

C:\Users\Admin\AppData\Local\Temp\f767790.exe

C:\Users\Admin\AppData\Local\Temp\f767790.exe

C:\Users\Admin\AppData\Local\Temp\f767de7.exe

C:\Users\Admin\AppData\Local\Temp\f767de7.exe

C:\Users\Admin\AppData\Local\Temp\f769203.exe

C:\Users\Admin\AppData\Local\Temp\f769203.exe

Network

N/A

Files

memory/2076-0-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f767790.exe

MD5 e2eb55a2624fc35bac6c58e82cde549b
SHA1 0c4bb103bf265522c99a6f5e2e0731ab89b000a0
SHA256 1aec34800ace7b5bd83cb9a9c0e7bd1dab931c33e243f324734708606b70c506
SHA512 c409001e8e1d3187dfc461f0446f335529dc38ec23fd6f7335ab318929e98ec3c66fe9332ee529abee58888af4856f38dbe043fdd2f5ccb46d8826a35e1759fd

memory/2076-10-0x00000000001A0000-0x00000000001B2000-memory.dmp

memory/2076-8-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2076-12-0x00000000001A0000-0x00000000001B2000-memory.dmp

memory/2696-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2696-11-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2696-15-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/1108-16-0x0000000001C80000-0x0000000001C82000-memory.dmp

memory/2696-17-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2696-20-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2076-26-0x00000000006C0000-0x00000000006C2000-memory.dmp

memory/2076-27-0x0000000000710000-0x0000000000711000-memory.dmp

memory/2076-30-0x00000000006C0000-0x00000000006C2000-memory.dmp

memory/2696-25-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2696-28-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2076-32-0x0000000000710000-0x0000000000711000-memory.dmp

memory/2076-42-0x0000000000C70000-0x0000000000C82000-memory.dmp

memory/2076-45-0x0000000000C70000-0x0000000000C82000-memory.dmp

memory/2752-47-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2696-50-0x0000000000290000-0x0000000000292000-memory.dmp

memory/2696-44-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2696-53-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2696-52-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2696-55-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2696-59-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2696-60-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2696-61-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2696-62-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2696-63-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2076-72-0x00000000006C0000-0x00000000006C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f769203.exe

MD5 960d115c8196421e618f50badccef942
SHA1 2ac2d476e5b9b09d5717ad63ab229d99c45a5f48
SHA256 663ea4f85c39a9199e4ed225831ff5cfa5abfd32fe3f4833b42366f4ac10b6e7
SHA512 997d20ba01ecf9458ab2eaa25db205f6621649bfdfe78106055b04c5fa087ac8b9790a4356de64cc20a97db0cff19c0c4cf7fa5a56973322d828b0b2eb886f85

\Users\Admin\AppData\Local\Temp\f769203.exe

MD5 877d9e0b14f64f136a6344c898000e13
SHA1 f24e343628c20be181f196b6b83fd791210c6bd0
SHA256 c969de9d720595130e316eebf9851ec10aeaed17d799d67d199ca62bc8776b17
SHA512 d6255d4a7a6fe3d095fc256d6371158610d51bb54b28bc1fb6a52641b9a0a6fd7db8c19ecdfe6b07b43844c9a82c9cdd3d447f79f7801c02208917e47c781d99

memory/2076-77-0x00000000001A0000-0x00000000001A6000-memory.dmp

memory/328-76-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2696-64-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2696-79-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2696-80-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2696-81-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2696-83-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2752-91-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2752-93-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2752-96-0x0000000000360000-0x0000000000362000-memory.dmp

memory/328-101-0x0000000000270000-0x0000000000271000-memory.dmp

memory/328-99-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2696-102-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2696-104-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2696-108-0x0000000000290000-0x0000000000292000-memory.dmp

memory/2696-145-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/328-149-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 08:51

Reported

2024-02-29 08:53

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"dwm.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e575803 C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 5040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2712 wrote to memory of 5040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2712 wrote to memory of 5040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5040 wrote to memory of 3244 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5756bb.exe
PID 5040 wrote to memory of 3244 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5756bb.exe
PID 5040 wrote to memory of 3244 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5756bb.exe
PID 3244 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\fontdrvhost.exe
PID 3244 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\fontdrvhost.exe
PID 3244 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\dwm.exe
PID 3244 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\sihost.exe
PID 3244 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\svchost.exe
PID 3244 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\taskhostw.exe
PID 3244 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\Explorer.EXE
PID 3244 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\svchost.exe
PID 3244 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\DllHost.exe
PID 3244 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3244 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\System32\RuntimeBroker.exe
PID 3244 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3244 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\System32\RuntimeBroker.exe
PID 3244 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\System32\RuntimeBroker.exe
PID 3244 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3244 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3244 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3244 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3244 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\rundll32.exe
PID 3244 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\SysWOW64\rundll32.exe
PID 3244 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\SysWOW64\rundll32.exe
PID 5040 wrote to memory of 2496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5759d8.exe
PID 5040 wrote to memory of 2496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5759d8.exe
PID 5040 wrote to memory of 2496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5759d8.exe
PID 5040 wrote to memory of 4496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5772de.exe
PID 5040 wrote to memory of 4496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5772de.exe
PID 5040 wrote to memory of 4496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5772de.exe
PID 3244 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\fontdrvhost.exe
PID 3244 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\fontdrvhost.exe
PID 3244 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\dwm.exe
PID 3244 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\sihost.exe
PID 3244 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\svchost.exe
PID 3244 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\taskhostw.exe
PID 3244 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\Explorer.EXE
PID 3244 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\svchost.exe
PID 3244 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\DllHost.exe
PID 3244 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3244 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\System32\RuntimeBroker.exe
PID 3244 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3244 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\System32\RuntimeBroker.exe
PID 3244 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\System32\RuntimeBroker.exe
PID 3244 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3244 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3244 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3244 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Users\Admin\AppData\Local\Temp\e5759d8.exe
PID 3244 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Users\Admin\AppData\Local\Temp\e5759d8.exe
PID 3244 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\System32\RuntimeBroker.exe
PID 3244 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Windows\System32\RuntimeBroker.exe
PID 3244 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Users\Admin\AppData\Local\Temp\e5772de.exe
PID 3244 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\e5756bb.exe C:\Users\Admin\AppData\Local\Temp\e5772de.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5756bb.exe N/A

Processes

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Packed.Win32.Salpack.dll,#1

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Packed.Win32.Salpack.dll,#1

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Users\Admin\AppData\Local\Temp\e5756bb.exe

C:\Users\Admin\AppData\Local\Temp\e5756bb.exe

C:\Users\Admin\AppData\Local\Temp\e5759d8.exe

C:\Users\Admin\AppData\Local\Temp\e5759d8.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e5772de.exe

C:\Users\Admin\AppData\Local\Temp\e5772de.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/5040-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5756bb.exe

MD5 e2eb55a2624fc35bac6c58e82cde549b
SHA1 0c4bb103bf265522c99a6f5e2e0731ab89b000a0
SHA256 1aec34800ace7b5bd83cb9a9c0e7bd1dab931c33e243f324734708606b70c506
SHA512 c409001e8e1d3187dfc461f0446f335529dc38ec23fd6f7335ab318929e98ec3c66fe9332ee529abee58888af4856f38dbe043fdd2f5ccb46d8826a35e1759fd

memory/3244-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3244-6-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-8-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-9-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/5040-13-0x0000000003E50000-0x0000000003E51000-memory.dmp

memory/3244-11-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-21-0x00000000019C0000-0x00000000019C1000-memory.dmp

memory/3244-24-0x00000000019B0000-0x00000000019B2000-memory.dmp

memory/2496-22-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3244-18-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-29-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/5040-14-0x0000000003D20000-0x0000000003D22000-memory.dmp

memory/5040-10-0x0000000003D20000-0x0000000003D22000-memory.dmp

memory/3244-30-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-31-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-32-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-33-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-34-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-35-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-36-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-37-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-38-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-40-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/5040-45-0x0000000003D20000-0x0000000003D22000-memory.dmp

memory/4496-48-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3244-49-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-50-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-52-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-55-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/2496-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2496-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4496-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4496-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4496-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3244-64-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-67-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-70-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-72-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-74-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-76-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-78-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-80-0x00000000019B0000-0x00000000019B2000-memory.dmp

memory/3244-81-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-84-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3244-101-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2496-105-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4496-109-0x0000000000400000-0x0000000000412000-memory.dmp