Malware Analysis Report

2024-09-11 12:52

Sample ID 240611-2edxtavajd
Target 5e70958862a38aa90ff6a0402938b187faa991d2740b886322f8fc1b8cda0c9f
SHA256 5e70958862a38aa90ff6a0402938b187faa991d2740b886322f8fc1b8cda0c9f
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e70958862a38aa90ff6a0402938b187faa991d2740b886322f8fc1b8cda0c9f

Threat Level: Known bad

The file 5e70958862a38aa90ff6a0402938b187faa991d2740b886322f8fc1b8cda0c9f was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

Windows security bypass

Modifies firewall policy service

UAC bypass

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX packed file

Executes dropped EXE

Windows security modification

Loads dropped DLL

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 22:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 22:29

Reported

2024-06-11 22:31

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e576448 C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
File created C:\Windows\e57b47b C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
File created C:\Windows\e57ceba C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3244 wrote to memory of 2152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3244 wrote to memory of 2152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3244 wrote to memory of 2152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2152 wrote to memory of 4640 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5763fa.exe
PID 2152 wrote to memory of 4640 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5763fa.exe
PID 2152 wrote to memory of 4640 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5763fa.exe
PID 4640 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\system32\fontdrvhost.exe
PID 4640 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\system32\fontdrvhost.exe
PID 4640 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\system32\dwm.exe
PID 4640 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\system32\sihost.exe
PID 4640 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\system32\svchost.exe
PID 4640 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\system32\taskhostw.exe
PID 4640 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\system32\svchost.exe
PID 4640 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\system32\DllHost.exe
PID 4640 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4640 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\System32\RuntimeBroker.exe
PID 4640 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4640 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\System32\RuntimeBroker.exe
PID 4640 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\System32\RuntimeBroker.exe
PID 4640 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4640 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4640 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\system32\rundll32.exe
PID 4640 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\SysWOW64\rundll32.exe
PID 4640 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\SysWOW64\rundll32.exe
PID 2152 wrote to memory of 1136 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5765ce.exe
PID 2152 wrote to memory of 1136 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5765ce.exe
PID 2152 wrote to memory of 1136 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5765ce.exe
PID 2152 wrote to memory of 4896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577fcf.exe
PID 2152 wrote to memory of 4896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577fcf.exe
PID 2152 wrote to memory of 4896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577fcf.exe
PID 4640 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\system32\fontdrvhost.exe
PID 4640 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\system32\fontdrvhost.exe
PID 4640 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\system32\dwm.exe
PID 4640 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\system32\sihost.exe
PID 4640 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\system32\svchost.exe
PID 4640 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\system32\taskhostw.exe
PID 4640 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\system32\svchost.exe
PID 4640 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\system32\DllHost.exe
PID 4640 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4640 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\System32\RuntimeBroker.exe
PID 4640 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4640 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\System32\RuntimeBroker.exe
PID 4640 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\System32\RuntimeBroker.exe
PID 4640 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4640 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Users\Admin\AppData\Local\Temp\e5765ce.exe
PID 4640 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Users\Admin\AppData\Local\Temp\e5765ce.exe
PID 4640 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\System32\RuntimeBroker.exe
PID 4640 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Windows\System32\RuntimeBroker.exe
PID 4640 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Users\Admin\AppData\Local\Temp\e577fcf.exe
PID 4640 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\e5763fa.exe C:\Users\Admin\AppData\Local\Temp\e577fcf.exe
PID 1136 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e5765ce.exe C:\Windows\system32\fontdrvhost.exe
PID 1136 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e5765ce.exe C:\Windows\system32\fontdrvhost.exe
PID 1136 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\e5765ce.exe C:\Windows\system32\dwm.exe
PID 1136 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\e5765ce.exe C:\Windows\system32\sihost.exe
PID 1136 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\e5765ce.exe C:\Windows\system32\svchost.exe
PID 1136 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\e5765ce.exe C:\Windows\system32\taskhostw.exe
PID 1136 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\e5765ce.exe C:\Windows\Explorer.EXE
PID 1136 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\e5765ce.exe C:\Windows\system32\svchost.exe
PID 1136 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\e5765ce.exe C:\Windows\system32\DllHost.exe
PID 1136 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\e5765ce.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1136 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\e5765ce.exe C:\Windows\System32\RuntimeBroker.exe
PID 1136 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\e5765ce.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5763fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5765ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577fcf.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e70958862a38aa90ff6a0402938b187faa991d2740b886322f8fc1b8cda0c9f.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e70958862a38aa90ff6a0402938b187faa991d2740b886322f8fc1b8cda0c9f.dll,#1

C:\Users\Admin\AppData\Local\Temp\e5763fa.exe

C:\Users\Admin\AppData\Local\Temp\e5763fa.exe

C:\Users\Admin\AppData\Local\Temp\e5765ce.exe

C:\Users\Admin\AppData\Local\Temp\e5765ce.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e577fcf.exe

C:\Users\Admin\AppData\Local\Temp\e577fcf.exe

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

memory/2152-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5763fa.exe

MD5 981c32cd34a5cb1d89aa799dbce61452
SHA1 1e918edd0e1fc32259b3955ee2c68f57734166be
SHA256 2be6effb0c0744cb34000e614535505f467df40ec3ac00c47f780b64f2bc89f6
SHA512 9955c971140105e3035554401ee6ea679362b03420cdbfd981419bb1c3f9f3d55402693778d4d697297707b69fb50484aefacf05ecdae8454829ca0e3320b194

memory/4640-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4640-9-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-12-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-17-0x0000000001C50000-0x0000000001C51000-memory.dmp

memory/2152-32-0x0000000000AA0000-0x0000000000AA2000-memory.dmp

memory/1136-35-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4640-25-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-31-0x0000000001C40000-0x0000000001C42000-memory.dmp

memory/4640-23-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-27-0x0000000001C40000-0x0000000001C42000-memory.dmp

memory/4640-13-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/2152-26-0x0000000000AA0000-0x0000000000AA2000-memory.dmp

memory/4640-24-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-10-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/2152-15-0x0000000000B30000-0x0000000000B31000-memory.dmp

memory/2152-14-0x0000000000AA0000-0x0000000000AA2000-memory.dmp

memory/4640-8-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-6-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-30-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-37-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-36-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-38-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-39-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-40-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-42-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-43-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4896-51-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4640-52-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-54-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-55-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4896-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4896-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1136-59-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1136-58-0x0000000000870000-0x0000000000871000-memory.dmp

memory/1136-63-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/4896-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4640-65-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-67-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-70-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-71-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-73-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-74-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-75-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-79-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-80-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-81-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-89-0x0000000001C40000-0x0000000001C42000-memory.dmp

memory/4640-84-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4640-101-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 00ae24371c881f5a1b7c1e37dd86b761
SHA1 1a02c59d15ca7906950d2331a5317f96785a2f10
SHA256 87d041a71023c7baedc0425284a9323533ea7e308fe113814caca5d0a68f74fb
SHA512 c5bb7b6e7d1eb4bd1b74ba88713b8c0a8d27ba00aa78fc759d1731db6ac5ce9ed4f363c0f9578c76562926cf9971a209029b4c6c0a82f423830b255a9c542ec1

memory/1136-118-0x0000000000B20000-0x0000000001BDA000-memory.dmp

memory/1136-131-0x0000000000B20000-0x0000000001BDA000-memory.dmp

memory/1136-132-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4896-153-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 22:29

Reported

2024-06-11 22:31

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762185.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f761fff C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File created C:\Windows\f7672fe C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2336 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2336 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2336 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2336 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2336 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2336 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2356 wrote to memory of 2352 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761f92.exe
PID 2356 wrote to memory of 2352 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761f92.exe
PID 2356 wrote to memory of 2352 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761f92.exe
PID 2356 wrote to memory of 2352 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761f92.exe
PID 2352 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\system32\taskhost.exe
PID 2352 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\system32\Dwm.exe
PID 2352 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\Explorer.EXE
PID 2352 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\system32\DllHost.exe
PID 2352 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\system32\rundll32.exe
PID 2352 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\SysWOW64\rundll32.exe
PID 2352 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\SysWOW64\rundll32.exe
PID 2356 wrote to memory of 2852 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762185.exe
PID 2356 wrote to memory of 2852 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762185.exe
PID 2356 wrote to memory of 2852 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762185.exe
PID 2356 wrote to memory of 2852 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762185.exe
PID 2352 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\system32\taskhost.exe
PID 2352 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\system32\Dwm.exe
PID 2352 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\Explorer.EXE
PID 2352 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\system32\rundll32.exe
PID 2352 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Users\Admin\AppData\Local\Temp\f762185.exe
PID 2352 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Users\Admin\AppData\Local\Temp\f762185.exe
PID 2356 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764bcf.exe
PID 2356 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764bcf.exe
PID 2356 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764bcf.exe
PID 2356 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764bcf.exe
PID 3020 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe C:\Windows\system32\taskhost.exe
PID 3020 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe C:\Windows\system32\Dwm.exe
PID 3020 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f764bcf.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764bcf.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e70958862a38aa90ff6a0402938b187faa991d2740b886322f8fc1b8cda0c9f.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e70958862a38aa90ff6a0402938b187faa991d2740b886322f8fc1b8cda0c9f.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761f92.exe

C:\Users\Admin\AppData\Local\Temp\f761f92.exe

C:\Users\Admin\AppData\Local\Temp\f762185.exe

C:\Users\Admin\AppData\Local\Temp\f762185.exe

C:\Users\Admin\AppData\Local\Temp\f764bcf.exe

C:\Users\Admin\AppData\Local\Temp\f764bcf.exe

Network

N/A

Files

memory/2356-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f761f92.exe

MD5 981c32cd34a5cb1d89aa799dbce61452
SHA1 1e918edd0e1fc32259b3955ee2c68f57734166be
SHA256 2be6effb0c0744cb34000e614535505f467df40ec3ac00c47f780b64f2bc89f6
SHA512 9955c971140105e3035554401ee6ea679362b03420cdbfd981419bb1c3f9f3d55402693778d4d697297707b69fb50484aefacf05ecdae8454829ca0e3320b194

memory/2352-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2356-9-0x0000000000180000-0x0000000000192000-memory.dmp

memory/2356-8-0x0000000000180000-0x0000000000192000-memory.dmp

memory/2352-14-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-17-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-20-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-21-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-23-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-22-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-19-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-18-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-16-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-15-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2852-49-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2356-35-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2356-48-0x0000000000290000-0x00000000002A2000-memory.dmp

memory/2356-46-0x0000000000270000-0x0000000000272000-memory.dmp

memory/2356-33-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2356-32-0x0000000000270000-0x0000000000272000-memory.dmp

memory/1104-25-0x0000000000490000-0x0000000000492000-memory.dmp

memory/2352-58-0x0000000001790000-0x0000000001792000-memory.dmp

memory/2352-57-0x0000000001790000-0x0000000001792000-memory.dmp

memory/2352-56-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

memory/2352-59-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-60-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-61-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-62-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-63-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-65-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2852-74-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2852-77-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2852-76-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2356-86-0x0000000000270000-0x0000000000272000-memory.dmp

memory/2356-89-0x0000000000180000-0x0000000000182000-memory.dmp

memory/2352-90-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/3020-91-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2352-93-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-95-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-97-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-99-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-100-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-105-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-106-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-107-0x0000000001790000-0x0000000001792000-memory.dmp

memory/2352-136-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2352-135-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2852-140-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 16433e7feb93e7ea875923f6ed65b23b
SHA1 08183287e75dc8ef1fd5e1f8d0f702f573f4bfc1
SHA256 981908dfc3377127677017afe001a68a8a475b12b1d4a504dbd8c0982d9dcc49
SHA512 6c44f5b026935067c304afea7a55fd7b3de50e399f2614e4862557ec1bf5789c07605bcc720bd9c81ca733a59785e0d3baccfc1874540dbb5b53ae00163d825f

memory/3020-152-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/3020-162-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

memory/3020-169-0x0000000002EE0000-0x0000000002EE2000-memory.dmp

memory/3020-203-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/3020-202-0x0000000000400000-0x0000000000412000-memory.dmp