Malware Analysis Report

2024-09-11 12:56

Sample ID 240610-zn837szcqa
Target 37b5ef720d91e0952c36ef51136d5b594b1603dd9ba156890fb9a0b0cae05124
SHA256 37b5ef720d91e0952c36ef51136d5b594b1603dd9ba156890fb9a0b0cae05124
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

37b5ef720d91e0952c36ef51136d5b594b1603dd9ba156890fb9a0b0cae05124

Threat Level: Known bad

The file 37b5ef720d91e0952c36ef51136d5b594b1603dd9ba156890fb9a0b0cae05124 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Modifies firewall policy service

Windows security bypass

Sality

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Windows security modification

UPX packed file

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-10 20:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 20:52

Reported

2024-06-10 20:55

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76209b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f761f72 C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
File created C:\Windows\f766f56 C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 1968 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761f05.exe
PID 2208 wrote to memory of 1968 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761f05.exe
PID 2208 wrote to memory of 1968 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761f05.exe
PID 2208 wrote to memory of 1968 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761f05.exe
PID 1968 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe C:\Windows\system32\taskhost.exe
PID 1968 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe C:\Windows\system32\Dwm.exe
PID 1968 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe C:\Windows\Explorer.EXE
PID 1968 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe C:\Windows\system32\DllHost.exe
PID 1968 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe C:\Windows\system32\rundll32.exe
PID 1968 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe C:\Windows\SysWOW64\rundll32.exe
PID 1968 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 2576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76209b.exe
PID 2208 wrote to memory of 2576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76209b.exe
PID 2208 wrote to memory of 2576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76209b.exe
PID 2208 wrote to memory of 2576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76209b.exe
PID 2208 wrote to memory of 1648 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763aa0.exe
PID 2208 wrote to memory of 1648 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763aa0.exe
PID 2208 wrote to memory of 1648 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763aa0.exe
PID 2208 wrote to memory of 1648 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763aa0.exe
PID 1968 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe C:\Windows\system32\taskhost.exe
PID 1968 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe C:\Windows\system32\Dwm.exe
PID 1968 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe C:\Windows\Explorer.EXE
PID 1968 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe C:\Users\Admin\AppData\Local\Temp\f76209b.exe
PID 1968 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe C:\Users\Admin\AppData\Local\Temp\f76209b.exe
PID 1968 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe C:\Users\Admin\AppData\Local\Temp\f763aa0.exe
PID 1968 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\f761f05.exe C:\Users\Admin\AppData\Local\Temp\f763aa0.exe
PID 1648 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe C:\Windows\system32\taskhost.exe
PID 1648 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe C:\Windows\system32\Dwm.exe
PID 1648 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f763aa0.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761f05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763aa0.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\37b5ef720d91e0952c36ef51136d5b594b1603dd9ba156890fb9a0b0cae05124.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\37b5ef720d91e0952c36ef51136d5b594b1603dd9ba156890fb9a0b0cae05124.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761f05.exe

C:\Users\Admin\AppData\Local\Temp\f761f05.exe

C:\Users\Admin\AppData\Local\Temp\f76209b.exe

C:\Users\Admin\AppData\Local\Temp\f76209b.exe

C:\Users\Admin\AppData\Local\Temp\f763aa0.exe

C:\Users\Admin\AppData\Local\Temp\f763aa0.exe

Network

N/A

Files

memory/2208-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f761f05.exe

MD5 c489815d905e190117c69fe77fc43826
SHA1 e1f70e424a091abd571a4dd191bfd40a21b51455
SHA256 a580dddf2fafc226cdfda50fbe1e02d9380307c3d1e0b4e2a496fb5b80b200c5
SHA512 3a8a429d144abd5fece5ac721b05c014ca72980e9c925d4407c2d12cc1216b47f26ee45380440b200a08dbf59ab320419bbe57062105d4f601aab3dab520fe8d

memory/2208-9-0x0000000000180000-0x0000000000192000-memory.dmp

memory/1968-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2208-8-0x0000000000180000-0x0000000000192000-memory.dmp

memory/1968-13-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/1968-16-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/1968-17-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/1968-15-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/2576-61-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1968-21-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/2208-32-0x0000000000200000-0x0000000000201000-memory.dmp

memory/1968-49-0x00000000004B0000-0x00000000004B2000-memory.dmp

memory/1968-47-0x00000000004C0000-0x00000000004C1000-memory.dmp

memory/1968-22-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/1968-19-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/2208-41-0x0000000000200000-0x0000000000201000-memory.dmp

memory/1968-23-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/2208-31-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1068-24-0x00000000004D0000-0x00000000004D2000-memory.dmp

memory/1968-20-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/2208-60-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2208-59-0x0000000000210000-0x0000000000222000-memory.dmp

memory/1968-58-0x00000000004B0000-0x00000000004B2000-memory.dmp

memory/1968-18-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/2208-56-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1968-62-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/1968-63-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/1968-64-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/1968-65-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/1968-66-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/1968-68-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/1968-69-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/1648-82-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2208-81-0x0000000000180000-0x0000000000182000-memory.dmp

memory/2208-77-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1968-84-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/1968-85-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/1968-87-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/1648-104-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/1648-103-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2576-97-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2576-96-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1648-106-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2576-105-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1968-108-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/1968-121-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/1968-151-0x00000000005E0000-0x000000000169A000-memory.dmp

memory/1968-150-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2576-155-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 7ecf238a81ee0cc33296e10d0635d38a
SHA1 1e4791893b6b931c35144f7f112dc1366019407a
SHA256 1e76ae097cd81ee79bb5b0113dad1ef663ae5a45dfebd9a6bab9a2ce53cd88d6
SHA512 ebf437c7e50bf55052c822b928946a7ae740cf038a55f953c8fb70ac84ee201716356ef1f99bdf12aaed727b62f90bfd800b2784cb55922c4a0f4df0e54d56b0

memory/1648-168-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/1648-205-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/1648-206-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 20:52

Reported

2024-06-10 20:55

Platform

win10v2004-20240508-en

Max time kernel

47s

Max time network

56s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57445c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e574314 C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
File created C:\Windows\e579318 C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4872 wrote to memory of 4480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4872 wrote to memory of 4480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4872 wrote to memory of 4480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4480 wrote to memory of 3012 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5742d5.exe
PID 4480 wrote to memory of 3012 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5742d5.exe
PID 4480 wrote to memory of 3012 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5742d5.exe
PID 3012 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\system32\fontdrvhost.exe
PID 3012 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\system32\fontdrvhost.exe
PID 3012 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\system32\dwm.exe
PID 3012 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\system32\sihost.exe
PID 3012 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\system32\svchost.exe
PID 3012 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\system32\taskhostw.exe
PID 3012 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\system32\svchost.exe
PID 3012 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\system32\DllHost.exe
PID 3012 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3012 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\System32\RuntimeBroker.exe
PID 3012 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3012 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\System32\RuntimeBroker.exe
PID 3012 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3012 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\System32\RuntimeBroker.exe
PID 3012 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3012 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\system32\rundll32.exe
PID 3012 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\SysWOW64\rundll32.exe
PID 4480 wrote to memory of 628 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57445c.exe
PID 4480 wrote to memory of 628 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57445c.exe
PID 4480 wrote to memory of 628 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57445c.exe
PID 4480 wrote to memory of 4920 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575e7b.exe
PID 4480 wrote to memory of 4920 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575e7b.exe
PID 4480 wrote to memory of 4920 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575e7b.exe
PID 3012 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\system32\fontdrvhost.exe
PID 3012 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\system32\fontdrvhost.exe
PID 3012 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\system32\dwm.exe
PID 3012 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\system32\sihost.exe
PID 3012 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\system32\svchost.exe
PID 3012 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\system32\taskhostw.exe
PID 3012 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\Explorer.EXE
PID 3012 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\system32\svchost.exe
PID 3012 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\system32\DllHost.exe
PID 3012 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3012 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\System32\RuntimeBroker.exe
PID 3012 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3012 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\System32\RuntimeBroker.exe
PID 3012 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3012 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\System32\RuntimeBroker.exe
PID 3012 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Users\Admin\AppData\Local\Temp\e57445c.exe
PID 3012 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Users\Admin\AppData\Local\Temp\e57445c.exe
PID 3012 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\System32\RuntimeBroker.exe
PID 3012 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Windows\System32\RuntimeBroker.exe
PID 3012 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Users\Admin\AppData\Local\Temp\e575e7b.exe
PID 3012 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\e5742d5.exe C:\Users\Admin\AppData\Local\Temp\e575e7b.exe
PID 4920 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e575e7b.exe C:\Windows\system32\fontdrvhost.exe
PID 4920 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e575e7b.exe C:\Windows\system32\fontdrvhost.exe
PID 4920 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\e575e7b.exe C:\Windows\system32\dwm.exe
PID 4920 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\e575e7b.exe C:\Windows\system32\sihost.exe
PID 4920 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e575e7b.exe C:\Windows\system32\svchost.exe
PID 4920 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e575e7b.exe C:\Windows\system32\taskhostw.exe
PID 4920 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\e575e7b.exe C:\Windows\Explorer.EXE
PID 4920 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\e575e7b.exe C:\Windows\system32\svchost.exe
PID 4920 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\e575e7b.exe C:\Windows\system32\DllHost.exe
PID 4920 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\e575e7b.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4920 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\e575e7b.exe C:\Windows\System32\RuntimeBroker.exe
PID 4920 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\e575e7b.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5742d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575e7b.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\37b5ef720d91e0952c36ef51136d5b594b1603dd9ba156890fb9a0b0cae05124.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\37b5ef720d91e0952c36ef51136d5b594b1603dd9ba156890fb9a0b0cae05124.dll,#1

C:\Users\Admin\AppData\Local\Temp\e5742d5.exe

C:\Users\Admin\AppData\Local\Temp\e5742d5.exe

C:\Users\Admin\AppData\Local\Temp\e57445c.exe

C:\Users\Admin\AppData\Local\Temp\e57445c.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e575e7b.exe

C:\Users\Admin\AppData\Local\Temp\e575e7b.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4480-0-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5742d5.exe

MD5 c489815d905e190117c69fe77fc43826
SHA1 e1f70e424a091abd571a4dd191bfd40a21b51455
SHA256 a580dddf2fafc226cdfda50fbe1e02d9380307c3d1e0b4e2a496fb5b80b200c5
SHA512 3a8a429d144abd5fece5ac721b05c014ca72980e9c925d4407c2d12cc1216b47f26ee45380440b200a08dbf59ab320419bbe57062105d4f601aab3dab520fe8d

memory/3012-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3012-9-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-8-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-6-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-12-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-11-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4480-31-0x00000000006F0000-0x00000000006F2000-memory.dmp

memory/3012-13-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-23-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-29-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-34-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-28-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-30-0x0000000003660000-0x0000000003662000-memory.dmp

memory/3012-26-0x0000000003660000-0x0000000003662000-memory.dmp

memory/4480-24-0x00000000006F0000-0x00000000006F2000-memory.dmp

memory/3012-10-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-17-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

memory/4480-14-0x00000000006F0000-0x00000000006F2000-memory.dmp

memory/4480-15-0x0000000000810000-0x0000000000811000-memory.dmp

memory/3012-35-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-36-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-37-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-38-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-39-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-41-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-42-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-50-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-52-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-53-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4920-59-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4920-60-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/628-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/628-56-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4920-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/628-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3012-64-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-65-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-69-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-71-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-72-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-74-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-76-0x0000000003660000-0x0000000003662000-memory.dmp

memory/3012-77-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-78-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-79-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-80-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-85-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3012-101-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 f6cef88e12352bc1dd8462463b7330dc
SHA1 228b101c13d945d46c9f41accad19b64cce3997f
SHA256 687ad12632eeee114306efef41a33375c5dab197f8b76844fccdb51fb1ac94a2
SHA512 e5f07dc6b5e4535b9cde925179e0b8025af0b7a2e756f053f65436e1e5d7001e7529a78e52a6e936e8608d58cf63fbe4bdf72b9453fb8b71f9410ebc67ab3a9c

memory/4920-118-0x0000000000B40000-0x0000000001BFA000-memory.dmp

memory/628-122-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4920-147-0x0000000000B40000-0x0000000001BFA000-memory.dmp

memory/4920-148-0x0000000000400000-0x0000000000412000-memory.dmp