Malware Analysis Report

2024-09-11 12:58

Sample ID 240611-3l6rvawcjr
Target 7514983ca19d9797096fd438128d1efae4441677b76c30baaaf855e961c09399
SHA256 7514983ca19d9797096fd438128d1efae4441677b76c30baaaf855e961c09399
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7514983ca19d9797096fd438128d1efae4441677b76c30baaaf855e961c09399

Threat Level: Known bad

The file 7514983ca19d9797096fd438128d1efae4441677b76c30baaaf855e961c09399 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

Sality

UAC bypass

Windows security bypass

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Windows security modification

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 23:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 23:37

Reported

2024-06-11 23:39

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76aec6.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
File created C:\Windows\f76e772 C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A
File created C:\Windows\f769731 C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 2816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 2816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 2816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 2816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 2816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 2816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 2816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2816 wrote to memory of 2844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769618.exe
PID 2816 wrote to memory of 2844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769618.exe
PID 2816 wrote to memory of 2844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769618.exe
PID 2816 wrote to memory of 2844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769618.exe
PID 2844 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe C:\Windows\system32\taskhost.exe
PID 2844 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe C:\Windows\system32\Dwm.exe
PID 2844 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe C:\Windows\Explorer.EXE
PID 2844 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe C:\Windows\system32\DllHost.exe
PID 2844 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe C:\Windows\system32\rundll32.exe
PID 2844 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe C:\Windows\SysWOW64\rundll32.exe
PID 2844 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe C:\Windows\SysWOW64\rundll32.exe
PID 2816 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769905.exe
PID 2816 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769905.exe
PID 2816 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769905.exe
PID 2816 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769905.exe
PID 2816 wrote to memory of 2680 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76aec6.exe
PID 2816 wrote to memory of 2680 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76aec6.exe
PID 2816 wrote to memory of 2680 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76aec6.exe
PID 2816 wrote to memory of 2680 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76aec6.exe
PID 2844 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe C:\Windows\system32\taskhost.exe
PID 2844 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe C:\Windows\system32\Dwm.exe
PID 2844 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe C:\Windows\Explorer.EXE
PID 2844 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe C:\Users\Admin\AppData\Local\Temp\f769905.exe
PID 2844 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe C:\Users\Admin\AppData\Local\Temp\f769905.exe
PID 2844 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe C:\Users\Admin\AppData\Local\Temp\f76aec6.exe
PID 2844 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\f769618.exe C:\Users\Admin\AppData\Local\Temp\f76aec6.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f769618.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f769905.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7514983ca19d9797096fd438128d1efae4441677b76c30baaaf855e961c09399.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7514983ca19d9797096fd438128d1efae4441677b76c30baaaf855e961c09399.dll,#1

C:\Users\Admin\AppData\Local\Temp\f769618.exe

C:\Users\Admin\AppData\Local\Temp\f769618.exe

C:\Users\Admin\AppData\Local\Temp\f769905.exe

C:\Users\Admin\AppData\Local\Temp\f769905.exe

C:\Users\Admin\AppData\Local\Temp\f76aec6.exe

C:\Users\Admin\AppData\Local\Temp\f76aec6.exe

Network

N/A

Files

memory/2816-4-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2816-2-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2816-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2816-0-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f769618.exe

MD5 7b00ea4dd800525e1e7865c366f647a0
SHA1 411f2e4ee4b0694049737791dcab6a76534348e4
SHA256 9256d8f442cc7351206e8c53673fd7e361b1752b5b1f15ebb6b515c5868b2015
SHA512 6ec6a97b25dfaf9cee391126b7ee62b21278eaf27c5a86c254f7ab48259c9afb6f584469a03f628992fba39e5673d4d804f8e0e5902a72f0f487bf1b92203c1a

memory/2816-6-0x00000000000B0000-0x00000000000C2000-memory.dmp

memory/2844-14-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2816-13-0x00000000000B0000-0x00000000000C2000-memory.dmp

memory/2844-15-0x0000000000700000-0x00000000017BA000-memory.dmp

memory/2844-21-0x0000000000700000-0x00000000017BA000-memory.dmp

memory/1128-24-0x0000000001C40000-0x0000000001C42000-memory.dmp

memory/2816-55-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2816-54-0x0000000000200000-0x0000000000212000-memory.dmp

memory/2460-57-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2844-23-0x0000000000700000-0x00000000017BA000-memory.dmp

memory/2844-18-0x0000000000700000-0x00000000017BA000-memory.dmp

memory/2844-17-0x0000000000700000-0x00000000017BA000-memory.dmp

memory/2844-58-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/2844-31-0x0000000000700000-0x00000000017BA000-memory.dmp

memory/2844-64-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/2844-22-0x0000000000700000-0x00000000017BA000-memory.dmp

memory/2844-20-0x0000000000700000-0x00000000017BA000-memory.dmp

memory/2844-19-0x0000000000700000-0x00000000017BA000-memory.dmp

memory/2844-44-0x0000000000700000-0x00000000017BA000-memory.dmp

memory/2816-45-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2844-43-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2816-35-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2816-34-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2816-53-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2844-66-0x0000000000700000-0x00000000017BA000-memory.dmp

memory/2844-65-0x0000000000700000-0x00000000017BA000-memory.dmp

memory/2844-67-0x0000000000700000-0x00000000017BA000-memory.dmp

memory/2844-68-0x0000000000700000-0x00000000017BA000-memory.dmp

memory/2844-69-0x0000000000700000-0x00000000017BA000-memory.dmp

memory/2816-82-0x00000000000B0000-0x00000000000B6000-memory.dmp

memory/2680-85-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2844-84-0x0000000000700000-0x00000000017BA000-memory.dmp

memory/2816-79-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2844-86-0x0000000000700000-0x00000000017BA000-memory.dmp

memory/2844-88-0x0000000000700000-0x00000000017BA000-memory.dmp

memory/2844-89-0x0000000000700000-0x00000000017BA000-memory.dmp

memory/2844-90-0x0000000000700000-0x00000000017BA000-memory.dmp

memory/2460-108-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2680-111-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2460-110-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2680-107-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2460-103-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2844-157-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2844-158-0x0000000000700000-0x00000000017BA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 220e26dc6a1ab2b81e24e7cc8c1209c2
SHA1 531c4e80721d054128f13ce2e37461bd77f46ea1
SHA256 6116137d1562c59e51be71c6a04ecaadc561ffde0915167ac786c469bdea01dc
SHA512 b2ef9b8a7b11a277b74c89a1bb41a4999c921c6a9a4400648eba98098d426145d315f232d8c4541d61a3a3294205ac7ac8401bf5f9a7c36ef30357bf7bc19fe8

memory/2460-170-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2460-184-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2460-183-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2680-189-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2680-190-0x0000000000A60000-0x0000000001B1A000-memory.dmp

memory/2680-191-0x0000000000A60000-0x0000000001B1A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 23:37

Reported

2024-06-11 23:39

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

154s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e580162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e581652.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57fec3 C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
File created C:\Windows\e585109 C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5076 wrote to memory of 5104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5076 wrote to memory of 5104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5076 wrote to memory of 5104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5104 wrote to memory of 772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe
PID 5104 wrote to memory of 772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe
PID 5104 wrote to memory of 772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe
PID 772 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\system32\fontdrvhost.exe
PID 772 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\system32\fontdrvhost.exe
PID 772 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\system32\dwm.exe
PID 772 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\system32\sihost.exe
PID 772 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\system32\svchost.exe
PID 772 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\system32\taskhostw.exe
PID 772 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\Explorer.EXE
PID 772 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\system32\svchost.exe
PID 772 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\system32\DllHost.exe
PID 772 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 772 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\System32\RuntimeBroker.exe
PID 772 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 772 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\System32\RuntimeBroker.exe
PID 772 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\System32\RuntimeBroker.exe
PID 772 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 772 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 772 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 772 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 772 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 772 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 772 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 772 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 772 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\system32\rundll32.exe
PID 772 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\SysWOW64\rundll32.exe
PID 772 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\SysWOW64\rundll32.exe
PID 5104 wrote to memory of 3840 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e580162.exe
PID 5104 wrote to memory of 3840 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e580162.exe
PID 5104 wrote to memory of 3840 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e580162.exe
PID 5104 wrote to memory of 1600 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e581652.exe
PID 5104 wrote to memory of 1600 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e581652.exe
PID 5104 wrote to memory of 1600 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e581652.exe
PID 5104 wrote to memory of 3000 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5816fe.exe
PID 5104 wrote to memory of 3000 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5816fe.exe
PID 5104 wrote to memory of 3000 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5816fe.exe
PID 772 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\system32\fontdrvhost.exe
PID 772 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\system32\fontdrvhost.exe
PID 772 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\system32\dwm.exe
PID 772 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\system32\sihost.exe
PID 772 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\system32\svchost.exe
PID 772 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\system32\taskhostw.exe
PID 772 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\Explorer.EXE
PID 772 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\system32\svchost.exe
PID 772 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\system32\DllHost.exe
PID 772 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 772 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\System32\RuntimeBroker.exe
PID 772 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 772 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\System32\RuntimeBroker.exe
PID 772 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\System32\RuntimeBroker.exe
PID 772 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 772 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 772 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 772 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 772 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 772 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 772 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 772 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 772 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Users\Admin\AppData\Local\Temp\e580162.exe
PID 772 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe C:\Users\Admin\AppData\Local\Temp\e580162.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5816fe.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b0,0x7ffa2d402e98,0x7ffa2d402ea4,0x7ffa2d402eb0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3056 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3144 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3264 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5484 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5620 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7514983ca19d9797096fd438128d1efae4441677b76c30baaaf855e961c09399.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7514983ca19d9797096fd438128d1efae4441677b76c30baaaf855e961c09399.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe

C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe

C:\Users\Admin\AppData\Local\Temp\e580162.exe

C:\Users\Admin\AppData\Local\Temp\e580162.exe

C:\Users\Admin\AppData\Local\Temp\e581652.exe

C:\Users\Admin\AppData\Local\Temp\e581652.exe

C:\Users\Admin\AppData\Local\Temp\e5816fe.exe

C:\Users\Admin\AppData\Local\Temp\e5816fe.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4828 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp

Files

memory/5104-0-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57fcaf.exe

MD5 7b00ea4dd800525e1e7865c366f647a0
SHA1 411f2e4ee4b0694049737791dcab6a76534348e4
SHA256 9256d8f442cc7351206e8c53673fd7e361b1752b5b1f15ebb6b515c5868b2015
SHA512 6ec6a97b25dfaf9cee391126b7ee62b21278eaf27c5a86c254f7ab48259c9afb6f584469a03f628992fba39e5673d4d804f8e0e5902a72f0f487bf1b92203c1a

memory/772-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/772-7-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-12-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-11-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-15-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5104-29-0x00000000042C0000-0x00000000042C2000-memory.dmp

memory/3840-35-0x0000000000400000-0x0000000000412000-memory.dmp

memory/772-17-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-32-0x0000000001B70000-0x0000000001B72000-memory.dmp

memory/5104-27-0x00000000042C0000-0x00000000042C2000-memory.dmp

memory/772-26-0x0000000001B80000-0x0000000001B81000-memory.dmp

memory/5104-24-0x0000000004900000-0x0000000004901000-memory.dmp

memory/5104-23-0x00000000042C0000-0x00000000042C2000-memory.dmp

memory/772-30-0x0000000001B70000-0x0000000001B72000-memory.dmp

memory/772-14-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-13-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-16-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-37-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-36-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-9-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-10-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-38-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-39-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-40-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-42-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1600-47-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3000-55-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5104-51-0x00000000042C0000-0x00000000042C2000-memory.dmp

memory/772-56-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-57-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-59-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-60-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-61-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-64-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/3000-74-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3000-77-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3840-76-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1600-75-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3840-73-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1600-72-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3000-71-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1600-69-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3840-67-0x00000000004A0000-0x00000000004A1000-memory.dmp

memory/772-78-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-81-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-83-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-86-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-85-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-88-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-91-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-93-0x0000000001B70000-0x0000000001B72000-memory.dmp

memory/772-94-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/772-114-0x0000000000400000-0x0000000000412000-memory.dmp

memory/772-110-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/3840-118-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3000-120-0x0000000000B30000-0x0000000001BEA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 a3cd4bd2b72e7c0a5b3b16e50037eb6d
SHA1 90269d7d9fd07745360ec515e02b1ac56e5f1089
SHA256 0880a460aea026d268123c4ee4d081c4307608a1d7843be3afbfbaa0c8250d50
SHA512 676e41634f36dc630e6ccc8ed2d39d2db1873c7aa35b799d292e390f8d5304130c2b6ebfb06fa314387a7a82ce1ef78ccb6cd31e69182cdae4bedcbf153c24c0

memory/1600-145-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3000-163-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3000-162-0x0000000000B30000-0x0000000001BEA000-memory.dmp