Malware Analysis Report

2024-09-11 12:57

Sample ID 240610-rflc6sygrr
Target 812758fba4a065bce800b5cdb70e06c9b3c41106a7e206cfd3f94e94ec0de87e
SHA256 812758fba4a065bce800b5cdb70e06c9b3c41106a7e206cfd3f94e94ec0de87e
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

812758fba4a065bce800b5cdb70e06c9b3c41106a7e206cfd3f94e94ec0de87e

Threat Level: Known bad

The file 812758fba4a065bce800b5cdb70e06c9b3c41106a7e206cfd3f94e94ec0de87e was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Windows security bypass

Sality

Modifies firewall policy service

UAC bypass

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Executes dropped EXE

Windows security modification

UPX packed file

Loads dropped DLL

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-10 14:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 14:08

Reported

2024-06-10 14:10

Platform

win7-20240508-en

Max time kernel

118s

Max time network

118s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f761c28 C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
File created C:\Windows\f766c2b C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2456 wrote to memory of 1972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761bca.exe
PID 2456 wrote to memory of 1972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761bca.exe
PID 2456 wrote to memory of 1972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761bca.exe
PID 2456 wrote to memory of 1972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761bca.exe
PID 1972 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe C:\Windows\system32\taskhost.exe
PID 1972 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe C:\Windows\system32\Dwm.exe
PID 1972 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe C:\Windows\Explorer.EXE
PID 1972 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe C:\Windows\system32\DllHost.exe
PID 1972 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe C:\Windows\system32\rundll32.exe
PID 1972 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe C:\Windows\SysWOW64\rundll32.exe
PID 1972 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe C:\Windows\SysWOW64\rundll32.exe
PID 2456 wrote to memory of 2636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d31.exe
PID 2456 wrote to memory of 2636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d31.exe
PID 2456 wrote to memory of 2636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d31.exe
PID 2456 wrote to memory of 2636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d31.exe
PID 2456 wrote to memory of 1584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763775.exe
PID 2456 wrote to memory of 1584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763775.exe
PID 2456 wrote to memory of 1584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763775.exe
PID 2456 wrote to memory of 1584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763775.exe
PID 1972 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe C:\Windows\system32\taskhost.exe
PID 1972 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe C:\Windows\system32\Dwm.exe
PID 1972 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe C:\Windows\Explorer.EXE
PID 1972 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe C:\Users\Admin\AppData\Local\Temp\f761d31.exe
PID 1972 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe C:\Users\Admin\AppData\Local\Temp\f761d31.exe
PID 1972 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe C:\Users\Admin\AppData\Local\Temp\f763775.exe
PID 1972 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\f761bca.exe C:\Users\Admin\AppData\Local\Temp\f763775.exe
PID 1584 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe C:\Windows\system32\taskhost.exe
PID 1584 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe C:\Windows\system32\Dwm.exe
PID 1584 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f763775.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763775.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\812758fba4a065bce800b5cdb70e06c9b3c41106a7e206cfd3f94e94ec0de87e.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\812758fba4a065bce800b5cdb70e06c9b3c41106a7e206cfd3f94e94ec0de87e.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761bca.exe

C:\Users\Admin\AppData\Local\Temp\f761bca.exe

C:\Users\Admin\AppData\Local\Temp\f761d31.exe

C:\Users\Admin\AppData\Local\Temp\f761d31.exe

C:\Users\Admin\AppData\Local\Temp\f763775.exe

C:\Users\Admin\AppData\Local\Temp\f763775.exe

Network

N/A

Files

memory/2456-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f761bca.exe

MD5 8ee6703590006427c3f796a027c4095c
SHA1 37c19b27659a5b6ff318c02974ab96e23db7e725
SHA256 6363f8ce2b7fecfd4f64dd1145234a27dc165d74b13b9a15cb3cd452e0a182ec
SHA512 49338191d2907f501c5cf80e8ba9f2a0fd9dc9b6d6d133181abc068e50db0c1e350ab09ce0a495c14bd6f9f24c9f76f8a2dd500292dcf9033ff053466f5d916e

memory/1972-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2456-10-0x0000000000110000-0x0000000000122000-memory.dmp

memory/2456-9-0x0000000000110000-0x0000000000122000-memory.dmp

memory/1972-14-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1972-16-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1972-18-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1972-21-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1972-17-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1972-20-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2636-60-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2456-59-0x0000000000140000-0x0000000000142000-memory.dmp

memory/2456-58-0x0000000000160000-0x0000000000172000-memory.dmp

memory/2456-57-0x0000000000140000-0x0000000000142000-memory.dmp

memory/1972-49-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

memory/1972-48-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

memory/1972-46-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

memory/2456-45-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1972-23-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2456-37-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2456-36-0x0000000000140000-0x0000000000142000-memory.dmp

memory/1112-29-0x0000000000110000-0x0000000000112000-memory.dmp

memory/1972-19-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1972-15-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1972-22-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1972-62-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1972-61-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1972-63-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1972-65-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1972-64-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1972-67-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1972-68-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1584-80-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1972-82-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1972-84-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1972-85-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1584-104-0x0000000000280000-0x0000000000281000-memory.dmp

memory/1584-102-0x0000000000270000-0x0000000000272000-memory.dmp

memory/2636-97-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1584-106-0x0000000000270000-0x0000000000272000-memory.dmp

memory/1972-107-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2636-105-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2636-96-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1972-125-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

memory/1972-156-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2636-160-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1972-155-0x0000000000520000-0x00000000015DA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 db77c5e0623f11f2ec5d498795b85c15
SHA1 9d91d97fd088c5578a2db52b36aa7aa07618dea5
SHA256 4b4f5dcdc35f9837e06aecfd932d1edfd85684151854c2a9e54773eee6710474
SHA512 36e46bac4a0e2e4d4e704d512d023dbf9fef042fa2627374a415a0119c60e33847a07ef16248cbf9a1c7ad97573e34075bcae46a7cee1d95c51743fb21b951e7

memory/1584-183-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/1584-211-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1584-210-0x0000000000910000-0x00000000019CA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 14:08

Reported

2024-06-10 14:10

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

148s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57e0da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e580981.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e58310e C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
File created C:\Windows\e57e03e C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 4852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2732 wrote to memory of 4852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2732 wrote to memory of 4852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4852 wrote to memory of 3884 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe
PID 4852 wrote to memory of 3884 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe
PID 4852 wrote to memory of 3884 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe
PID 3884 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\system32\fontdrvhost.exe
PID 3884 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\system32\fontdrvhost.exe
PID 3884 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\system32\dwm.exe
PID 3884 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\system32\sihost.exe
PID 3884 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\system32\svchost.exe
PID 3884 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\system32\taskhostw.exe
PID 3884 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\Explorer.EXE
PID 3884 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\system32\svchost.exe
PID 3884 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\system32\DllHost.exe
PID 3884 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3884 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\System32\RuntimeBroker.exe
PID 3884 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3884 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\System32\RuntimeBroker.exe
PID 3884 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\System32\RuntimeBroker.exe
PID 3884 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3884 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3884 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\system32\rundll32.exe
PID 3884 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\SysWOW64\rundll32.exe
PID 3884 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\SysWOW64\rundll32.exe
PID 4852 wrote to memory of 2448 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e0da.exe
PID 4852 wrote to memory of 2448 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e0da.exe
PID 4852 wrote to memory of 2448 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e0da.exe
PID 3884 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\system32\fontdrvhost.exe
PID 3884 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\system32\fontdrvhost.exe
PID 3884 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\system32\dwm.exe
PID 3884 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\system32\sihost.exe
PID 3884 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\system32\svchost.exe
PID 3884 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\system32\taskhostw.exe
PID 3884 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\Explorer.EXE
PID 3884 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\system32\svchost.exe
PID 3884 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\system32\DllHost.exe
PID 3884 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3884 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\System32\RuntimeBroker.exe
PID 3884 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3884 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\System32\RuntimeBroker.exe
PID 3884 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\System32\RuntimeBroker.exe
PID 3884 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3884 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3884 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3884 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\system32\rundll32.exe
PID 3884 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Users\Admin\AppData\Local\Temp\e57e0da.exe
PID 3884 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Users\Admin\AppData\Local\Temp\e57e0da.exe
PID 3884 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\System32\RuntimeBroker.exe
PID 3884 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Windows\System32\RuntimeBroker.exe
PID 3884 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 2416 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5808e4.exe
PID 4852 wrote to memory of 2416 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5808e4.exe
PID 4852 wrote to memory of 2416 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5808e4.exe
PID 4852 wrote to memory of 4940 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e580981.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5808e4.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffd9946ceb8,0x7ffd9946cec4,0x7ffd9946ced0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2296,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=2292 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1876,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=2432 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2400,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=3420 /prefetch:8

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\812758fba4a065bce800b5cdb70e06c9b3c41106a7e206cfd3f94e94ec0de87e.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\812758fba4a065bce800b5cdb70e06c9b3c41106a7e206cfd3f94e94ec0de87e.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe

C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe

C:\Users\Admin\AppData\Local\Temp\e57e0da.exe

C:\Users\Admin\AppData\Local\Temp\e57e0da.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4604,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\e5808e4.exe

C:\Users\Admin\AppData\Local\Temp\e5808e4.exe

C:\Users\Admin\AppData\Local\Temp\e580981.exe

C:\Users\Admin\AppData\Local\Temp\e580981.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4852-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57dfd1.exe

MD5 8ee6703590006427c3f796a027c4095c
SHA1 37c19b27659a5b6ff318c02974ab96e23db7e725
SHA256 6363f8ce2b7fecfd4f64dd1145234a27dc165d74b13b9a15cb3cd452e0a182ec
SHA512 49338191d2907f501c5cf80e8ba9f2a0fd9dc9b6d6d133181abc068e50db0c1e350ab09ce0a495c14bd6f9f24c9f76f8a2dd500292dcf9033ff053466f5d916e

memory/3884-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3884-8-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-9-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-14-0x0000000000570000-0x0000000000571000-memory.dmp

memory/3884-6-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4852-15-0x0000000000A30000-0x0000000000A32000-memory.dmp

memory/4852-23-0x0000000000A30000-0x0000000000A32000-memory.dmp

memory/2448-32-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3884-19-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-29-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-10-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-22-0x0000000000560000-0x0000000000562000-memory.dmp

memory/3884-21-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-18-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-20-0x0000000000560000-0x0000000000562000-memory.dmp

memory/4852-12-0x0000000000A40000-0x0000000000A41000-memory.dmp

memory/4852-11-0x0000000000A30000-0x0000000000A32000-memory.dmp

memory/3884-34-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-37-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-36-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-33-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-38-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-40-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-39-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-42-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/2448-45-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2448-46-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2416-52-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2448-51-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4852-54-0x0000000000A30000-0x0000000000A32000-memory.dmp

memory/4940-59-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3884-60-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-61-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-63-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-65-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-67-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-68-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-70-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-72-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-74-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-75-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-76-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-83-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3884-90-0x0000000000560000-0x0000000000562000-memory.dmp

memory/3884-100-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2448-104-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 92db20267f1f6c38e6196a4e195338e3
SHA1 c5ceaf6f3d7d80ffa341ab7c0c58d756dbf6c863
SHA256 5e76b3359a3e4186422aef716219d0a9e73d7247dc6bd8e6b0a63356f55a3f89
SHA512 c451a69fa603119608d52b71afdb538f5a7c728dd30d321eee228b7af0bbc56439f50766ecb09eba6db40a9f509c3fb1437da4cb8d8d7f0287baa95177913e7b

memory/2416-116-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/2416-162-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2416-161-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/4940-165-0x0000000000400000-0x0000000000412000-memory.dmp