Malware Analysis Report

2024-09-11 12:56

Sample ID 240610-jbwz4see87
Target ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975
SHA256 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975
Tags
sality backdoor bootkit evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975

Threat Level: Known bad

The file ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975 was found to be: Known bad.

Malicious Activity Summary

sality backdoor bootkit evasion persistence trojan upx

Modifies firewall policy service

Windows security bypass

UAC bypass

Sality

Windows security modification

UPX packed file

Loads dropped DLL

Checks whether UAC is enabled

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Replication Through Removable Media
T1091
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Replication Through Removable Media
T1091
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-10 07:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 07:30

Reported

2024-06-10 07:32

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f763237 C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\taskhost.exe
PID 1684 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\Dwm.exe
PID 1684 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\Explorer.EXE
PID 1684 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\DllHost.exe
PID 1684 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\taskhost.exe
PID 1684 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\Dwm.exe
PID 1684 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\Explorer.EXE
PID 1684 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\taskhost.exe
PID 1684 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\Dwm.exe
PID 1684 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\Explorer.EXE
PID 1684 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\taskhost.exe
PID 1684 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\Dwm.exe
PID 1684 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\Explorer.EXE
PID 1684 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\taskhost.exe
PID 1684 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\Dwm.exe
PID 1684 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\Explorer.EXE
PID 1684 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\taskhost.exe
PID 1684 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\Dwm.exe
PID 1684 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\Explorer.EXE
PID 1684 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\taskhost.exe
PID 1684 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\Dwm.exe
PID 1684 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\Explorer.EXE
PID 1684 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe

"C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

Network

Country Destination Domain Proto
US 8.8.8.8:53 st.p.360.cn udp
US 8.8.8.8:53 tr.p.360.cn udp
US 8.8.8.8:53 agt.p.360.cn udp
US 8.8.8.8:53 pinst.360.cn udp
CN 1.192.136.170:3478 st.p.360.cn udp
CN 1.192.136.170:3478 st.p.360.cn udp
CN 1.192.136.135:80 tr.p.360.cn udp
CN 39.156.85.231:80 pinst.360.cn tcp
CN 39.156.85.231:80 pinst.360.cn tcp
CN 39.156.85.231:80 pinst.360.cn tcp
CN 39.156.85.231:80 pinst.360.cn tcp
CN 39.156.85.231:80 pinst.360.cn tcp
CN 39.156.85.231:80 pinst.360.cn tcp
US 8.8.8.8:53 update.360safe.com udp
CN 220.181.150.177:80 update.360safe.com tcp

Files

memory/1684-2-0x0000000000400000-0x000000000091B000-memory.dmp

memory/1684-1-0x0000000000400000-0x000000000091B000-memory.dmp

memory/1684-0-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-7-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-13-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-22-0x0000000002350000-0x0000000002352000-memory.dmp

memory/1684-23-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1684-25-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1684-6-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-4-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1104-9-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/1684-14-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-12-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-17-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-8-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-5-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-31-0x0000000002350000-0x0000000002352000-memory.dmp

memory/1684-32-0x0000000000400000-0x000000000091B000-memory.dmp

memory/1684-33-0x0000000000400000-0x000000000091B000-memory.dmp

\Users\Admin\AppData\Local\Temp\36034B7.tmp360net.dll

MD5 d5f22fc1beff60f5fa9398effca73e2f
SHA1 f84c5f048b5269381a8c6d1dc21905458856543b
SHA256 214a5e9aab33148866db82ab51c5bcce9e4240794c2c2850fa0f7b3bc3aa34e6
SHA512 b031336bf42a55e738a412b39acff8b57892f8d2b49c3ec4eadc9f7c9ad45cbc0f5b06a921fd07cfed2faf2de07c6957dfd8975de5e322f0f82c558ee9dcf1c3

memory/1684-42-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-43-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-44-0x0000000000400000-0x000000000091B000-memory.dmp

memory/1684-45-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-46-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-47-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-49-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-50-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-51-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-54-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-55-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-62-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-64-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-66-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-68-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-71-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-72-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-75-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-77-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-81-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-83-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-84-0x0000000002950000-0x0000000003A0A000-memory.dmp

memory/1684-98-0x0000000000400000-0x000000000091B000-memory.dmp

memory/1684-103-0x0000000000400000-0x000000000091B000-memory.dmp

memory/1684-110-0x0000000000400000-0x000000000091B000-memory.dmp

F:\rwhnj.pif

MD5 8b17fe253285961fe8e4a206ac3a81fb
SHA1 d72e1905d86189f992083bd533bc198ea28c853d
SHA256 3b6ebf2f2487e777a23946d0e6ddcb39426aadc9b5df261f0ff4b09cbf74fe4d
SHA512 c35758d7b32111c614517ed693e4608dcf03dcf0154bdcd852707331bb5fd14daa44b014f4bb63b9137d4dd410b200af021b9262df2fbcd32eb99576acc3edb8

memory/1684-177-0x0000000000400000-0x000000000091B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 07:30

Reported

2024-06-10 07:32

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e574120 C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4308 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\fontdrvhost.exe
PID 4308 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\fontdrvhost.exe
PID 4308 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\dwm.exe
PID 4308 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\sihost.exe
PID 4308 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\svchost.exe
PID 4308 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\taskhostw.exe
PID 4308 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\Explorer.EXE
PID 4308 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\svchost.exe
PID 4308 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\DllHost.exe
PID 4308 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4308 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\System32\RuntimeBroker.exe
PID 4308 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4308 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\System32\RuntimeBroker.exe
PID 4308 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4308 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\System32\RuntimeBroker.exe
PID 4308 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4308 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\fontdrvhost.exe
PID 4308 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\fontdrvhost.exe
PID 4308 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\dwm.exe
PID 4308 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\sihost.exe
PID 4308 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\svchost.exe
PID 4308 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\taskhostw.exe
PID 4308 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\Explorer.EXE
PID 4308 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\svchost.exe
PID 4308 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\DllHost.exe
PID 4308 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4308 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\System32\RuntimeBroker.exe
PID 4308 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4308 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\System32\RuntimeBroker.exe
PID 4308 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4308 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\System32\RuntimeBroker.exe
PID 4308 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\System32\RuntimeBroker.exe
PID 4308 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\System32\RuntimeBroker.exe
PID 4308 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\fontdrvhost.exe
PID 4308 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\fontdrvhost.exe
PID 4308 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\dwm.exe
PID 4308 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\sihost.exe
PID 4308 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\svchost.exe
PID 4308 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\taskhostw.exe
PID 4308 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\Explorer.EXE
PID 4308 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\svchost.exe
PID 4308 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\DllHost.exe
PID 4308 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4308 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\System32\RuntimeBroker.exe
PID 4308 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4308 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\System32\RuntimeBroker.exe
PID 4308 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4308 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\System32\RuntimeBroker.exe
PID 4308 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\System32\RuntimeBroker.exe
PID 4308 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\System32\RuntimeBroker.exe
PID 4308 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\fontdrvhost.exe
PID 4308 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\fontdrvhost.exe
PID 4308 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\dwm.exe
PID 4308 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\sihost.exe
PID 4308 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\svchost.exe
PID 4308 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\taskhostw.exe
PID 4308 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\Explorer.EXE
PID 4308 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\svchost.exe
PID 4308 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\system32\DllHost.exe
PID 4308 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4308 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\System32\RuntimeBroker.exe
PID 4308 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4308 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\System32\RuntimeBroker.exe
PID 4308 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe

"C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 st.p.360.cn udp
US 8.8.8.8:53 pinst.360.cn udp
US 8.8.8.8:53 tr.p.360.cn udp
US 8.8.8.8:53 agt.p.360.cn udp
N/A 224.0.0.251:5353 udp
CN 1.192.136.170:3478 st.p.360.cn udp
CN 1.192.136.170:3478 st.p.360.cn udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 170.136.192.1.in-addr.arpa udp
CN 1.192.136.135:80 tr.p.360.cn udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 135.136.192.1.in-addr.arpa udp
CN 39.156.85.201:80 pinst.360.cn tcp
CN 39.156.85.201:80 pinst.360.cn tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
CN 39.156.85.201:80 pinst.360.cn tcp
CN 39.156.85.201:80 pinst.360.cn tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
CN 39.156.85.201:80 pinst.360.cn tcp
CN 39.156.85.201:80 pinst.360.cn tcp
US 8.8.8.8:53 update.360safe.com udp
CN 220.181.150.177:80 update.360safe.com tcp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/4308-0-0x0000000000400000-0x000000000091B000-memory.dmp

memory/4308-1-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-3-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-5-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-6-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-18-0x0000000000FF0000-0x0000000000FF2000-memory.dmp

memory/4308-14-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-16-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-15-0x0000000000FF0000-0x0000000000FF2000-memory.dmp

memory/4308-8-0x0000000001000000-0x0000000001001000-memory.dmp

memory/4308-7-0x0000000000FF0000-0x0000000000FF2000-memory.dmp

memory/4308-4-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-17-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-19-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-20-0x00000000027D0000-0x000000000388A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\36042F4.tmp360net.dll

MD5 d5f22fc1beff60f5fa9398effca73e2f
SHA1 f84c5f048b5269381a8c6d1dc21905458856543b
SHA256 214a5e9aab33148866db82ab51c5bcce9e4240794c2c2850fa0f7b3bc3aa34e6
SHA512 b031336bf42a55e738a412b39acff8b57892f8d2b49c3ec4eadc9f7c9ad45cbc0f5b06a921fd07cfed2faf2de07c6957dfd8975de5e322f0f82c558ee9dcf1c3

memory/4308-31-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-30-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-32-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-33-0x0000000005D80000-0x0000000005D81000-memory.dmp

memory/4308-34-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-35-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-37-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-38-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-39-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-41-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-42-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-44-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-46-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-49-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-51-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-53-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-55-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-57-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-59-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-61-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-63-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-65-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-72-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-74-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-76-0x0000000000FF0000-0x0000000000FF2000-memory.dmp

memory/4308-77-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-79-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-81-0x0000000005D80000-0x0000000005D81000-memory.dmp

memory/4308-82-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-84-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-88-0x00000000027D0000-0x000000000388A000-memory.dmp

F:\lqnm.pif

MD5 bc70255749b5dac4a612e2e00cfa141d
SHA1 b962c993424d5f0625fc4622ee96ae328e7197f4
SHA256 6cb9f64f7cdf277f5f496dbeace7d7fe4c62c43b05a3f52326fe8e55136290bc
SHA512 1878530d81b79e1a13443a7a942fd96c06f662c036a195dab0fdada1dcaf38e27a9ed424f3b2ea6a5f8d08f1b40920472d4ef8a34dd2c411d5ea033654ac3577

memory/4308-113-0x00000000027D0000-0x000000000388A000-memory.dmp

memory/4308-126-0x0000000000400000-0x000000000091B000-memory.dmp