Malware Analysis Report

2024-09-11 12:40

Sample ID 240611-dwzzlsshqj
Target cdf8e2fca3c6b0e8bad30203b0cf148da5ec734e9914d5556e0745cc5f379dfe
SHA256 cdf8e2fca3c6b0e8bad30203b0cf148da5ec734e9914d5556e0745cc5f379dfe
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdf8e2fca3c6b0e8bad30203b0cf148da5ec734e9914d5556e0745cc5f379dfe

Threat Level: Known bad

The file cdf8e2fca3c6b0e8bad30203b0cf148da5ec734e9914d5556e0745cc5f379dfe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

UAC bypass

Modifies firewall policy service

Windows security bypass

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

Executes dropped EXE

Windows security modification

UPX packed file

Loads dropped DLL

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 03:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 03:22

Reported

2024-06-11 03:24

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

154s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574e3f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e574d45 C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
File created C:\Windows\e579de6 C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 2492 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3008 wrote to memory of 2492 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3008 wrote to memory of 2492 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2792 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574ce7.exe
PID 2492 wrote to memory of 2792 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574ce7.exe
PID 2492 wrote to memory of 2792 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574ce7.exe
PID 2792 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\system32\fontdrvhost.exe
PID 2792 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\system32\fontdrvhost.exe
PID 2792 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\system32\dwm.exe
PID 2792 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\system32\sihost.exe
PID 2792 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\system32\svchost.exe
PID 2792 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\system32\taskhostw.exe
PID 2792 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\system32\svchost.exe
PID 2792 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\system32\DllHost.exe
PID 2792 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2792 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\System32\RuntimeBroker.exe
PID 2792 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2792 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\System32\RuntimeBroker.exe
PID 2792 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\System32\RuntimeBroker.exe
PID 2792 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2792 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\system32\rundll32.exe
PID 2792 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2184 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574e3f.exe
PID 2492 wrote to memory of 2184 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574e3f.exe
PID 2492 wrote to memory of 2184 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574e3f.exe
PID 2492 wrote to memory of 3524 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57689d.exe
PID 2492 wrote to memory of 3524 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57689d.exe
PID 2492 wrote to memory of 3524 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57689d.exe
PID 2792 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\system32\fontdrvhost.exe
PID 2792 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\system32\fontdrvhost.exe
PID 2792 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\system32\dwm.exe
PID 2792 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\system32\sihost.exe
PID 2792 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\system32\svchost.exe
PID 2792 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\system32\taskhostw.exe
PID 2792 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\system32\svchost.exe
PID 2792 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\system32\DllHost.exe
PID 2792 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2792 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\System32\RuntimeBroker.exe
PID 2792 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2792 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\System32\RuntimeBroker.exe
PID 2792 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\System32\RuntimeBroker.exe
PID 2792 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2792 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Users\Admin\AppData\Local\Temp\e574e3f.exe
PID 2792 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Users\Admin\AppData\Local\Temp\e574e3f.exe
PID 2792 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Users\Admin\AppData\Local\Temp\e57689d.exe
PID 2792 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\e574ce7.exe C:\Users\Admin\AppData\Local\Temp\e57689d.exe
PID 3524 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e57689d.exe C:\Windows\system32\fontdrvhost.exe
PID 3524 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e57689d.exe C:\Windows\system32\fontdrvhost.exe
PID 3524 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\e57689d.exe C:\Windows\system32\dwm.exe
PID 3524 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e57689d.exe C:\Windows\system32\sihost.exe
PID 3524 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e57689d.exe C:\Windows\system32\svchost.exe
PID 3524 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\e57689d.exe C:\Windows\system32\taskhostw.exe
PID 3524 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\e57689d.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\e57689d.exe C:\Windows\system32\svchost.exe
PID 3524 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\e57689d.exe C:\Windows\system32\DllHost.exe
PID 3524 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\e57689d.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3524 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\e57689d.exe C:\Windows\System32\RuntimeBroker.exe
PID 3524 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\e57689d.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3524 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\e57689d.exe C:\Windows\System32\RuntimeBroker.exe
PID 3524 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\e57689d.exe C:\Windows\System32\RuntimeBroker.exe
PID 3524 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\e57689d.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574ce7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cdf8e2fca3c6b0e8bad30203b0cf148da5ec734e9914d5556e0745cc5f379dfe.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cdf8e2fca3c6b0e8bad30203b0cf148da5ec734e9914d5556e0745cc5f379dfe.dll,#1

C:\Users\Admin\AppData\Local\Temp\e574ce7.exe

C:\Users\Admin\AppData\Local\Temp\e574ce7.exe

C:\Users\Admin\AppData\Local\Temp\e574e3f.exe

C:\Users\Admin\AppData\Local\Temp\e574e3f.exe

C:\Users\Admin\AppData\Local\Temp\e57689d.exe

C:\Users\Admin\AppData\Local\Temp\e57689d.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2492-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e574ce7.exe

MD5 c1ee556c48d7dc153ec7e721fad0f822
SHA1 22280d97b38bf5f0772ce94b281c1b11f059bbd3
SHA256 018140d8eca3ee42b77f37ec8f89a5ca8338193354d4d9aaf2bd174138b22bf3
SHA512 e995ebc37903ea801289a1c94612b643eb0b19e0718611fe33e5820b297da95c27f265290f4f90dadbba432ee5905db0a9328e7e62eebfec8edb0e89d02bdb09

memory/2792-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2792-6-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-8-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-11-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2492-15-0x0000000001670000-0x0000000001672000-memory.dmp

memory/2792-10-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-9-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-12-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-31-0x0000000003520000-0x0000000003522000-memory.dmp

memory/2792-24-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-29-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-30-0x0000000003520000-0x0000000003522000-memory.dmp

memory/2792-32-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-33-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-26-0x0000000003E70000-0x0000000003E71000-memory.dmp

memory/2492-18-0x0000000001670000-0x0000000001672000-memory.dmp

memory/2792-34-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2492-14-0x00000000016D0000-0x00000000016D1000-memory.dmp

memory/2492-13-0x0000000001670000-0x0000000001672000-memory.dmp

memory/2792-35-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-36-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-37-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-38-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-39-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-41-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-42-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3524-47-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2792-52-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-53-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-54-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3524-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2184-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3524-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3524-60-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2184-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2184-57-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2792-64-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-66-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-69-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-71-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-73-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-76-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-78-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-84-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-85-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-87-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2792-96-0x0000000003520000-0x0000000003522000-memory.dmp

memory/2792-106-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2184-110-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 3f96c2d934d83f0b8c3c04ecd04c3178
SHA1 d480d203bdad2c6d275f3abcc099df90ce1bfd86
SHA256 b7d6995a1ebffe7da816b864ce18485f428ebd25b1aa850b54e974ea7dfe15f5
SHA512 431a2c3c0662f5408c7576cc65874a47fa7148851bde882f94c7eea4cc607c4d618ac329ab34306a5ad9970cc7f5b12ceffb8b851c316ef622025009d2551a28

memory/3524-122-0x0000000000B20000-0x0000000001BDA000-memory.dmp

memory/3524-152-0x0000000000B20000-0x0000000001BDA000-memory.dmp

memory/3524-153-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 03:22

Reported

2024-06-11 03:24

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762d09.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f76119d C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File created C:\Windows\f7661a0 C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1852 wrote to memory of 1208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1852 wrote to memory of 1208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1852 wrote to memory of 1208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1852 wrote to memory of 1208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1852 wrote to memory of 1208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1852 wrote to memory of 1208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1852 wrote to memory of 1208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1208 wrote to memory of 2464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761140.exe
PID 1208 wrote to memory of 2464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761140.exe
PID 1208 wrote to memory of 2464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761140.exe
PID 1208 wrote to memory of 2464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761140.exe
PID 2464 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Windows\system32\taskhost.exe
PID 2464 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Windows\system32\Dwm.exe
PID 2464 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Windows\system32\DllHost.exe
PID 2464 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Windows\system32\rundll32.exe
PID 2464 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Windows\SysWOW64\rundll32.exe
PID 2464 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Windows\SysWOW64\rundll32.exe
PID 1208 wrote to memory of 2648 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7612d5.exe
PID 1208 wrote to memory of 2648 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7612d5.exe
PID 1208 wrote to memory of 2648 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7612d5.exe
PID 1208 wrote to memory of 2648 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7612d5.exe
PID 1208 wrote to memory of 2428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762d09.exe
PID 1208 wrote to memory of 2428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762d09.exe
PID 1208 wrote to memory of 2428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762d09.exe
PID 1208 wrote to memory of 2428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762d09.exe
PID 2464 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Windows\system32\taskhost.exe
PID 2464 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Windows\system32\Dwm.exe
PID 2464 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Users\Admin\AppData\Local\Temp\f7612d5.exe
PID 2464 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Users\Admin\AppData\Local\Temp\f7612d5.exe
PID 2464 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Users\Admin\AppData\Local\Temp\f762d09.exe
PID 2464 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Users\Admin\AppData\Local\Temp\f762d09.exe
PID 2648 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe C:\Windows\system32\taskhost.exe
PID 2648 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe C:\Windows\system32\Dwm.exe
PID 2648 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cdf8e2fca3c6b0e8bad30203b0cf148da5ec734e9914d5556e0745cc5f379dfe.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cdf8e2fca3c6b0e8bad30203b0cf148da5ec734e9914d5556e0745cc5f379dfe.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761140.exe

C:\Users\Admin\AppData\Local\Temp\f761140.exe

C:\Users\Admin\AppData\Local\Temp\f7612d5.exe

C:\Users\Admin\AppData\Local\Temp\f7612d5.exe

C:\Users\Admin\AppData\Local\Temp\f762d09.exe

C:\Users\Admin\AppData\Local\Temp\f762d09.exe

Network

N/A

Files

memory/1208-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1208-3-0x0000000000190000-0x00000000001A2000-memory.dmp

\Users\Admin\AppData\Local\Temp\f761140.exe

MD5 c1ee556c48d7dc153ec7e721fad0f822
SHA1 22280d97b38bf5f0772ce94b281c1b11f059bbd3
SHA256 018140d8eca3ee42b77f37ec8f89a5ca8338193354d4d9aaf2bd174138b22bf3
SHA512 e995ebc37903ea801289a1c94612b643eb0b19e0718611fe33e5820b297da95c27f265290f4f90dadbba432ee5905db0a9328e7e62eebfec8edb0e89d02bdb09

memory/1208-10-0x0000000000190000-0x00000000001A2000-memory.dmp

memory/2464-16-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2464-14-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2464-18-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2464-13-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2464-17-0x0000000000670000-0x000000000172A000-memory.dmp

memory/1208-37-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1112-28-0x0000000000450000-0x0000000000452000-memory.dmp

memory/2464-15-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2464-20-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2464-22-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2464-19-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2464-21-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2464-49-0x00000000002F0000-0x00000000002F2000-memory.dmp

memory/1208-36-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2464-50-0x00000000002F0000-0x00000000002F2000-memory.dmp

memory/2464-47-0x0000000000560000-0x0000000000561000-memory.dmp

memory/1208-46-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1208-58-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2648-60-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1208-59-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2464-61-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2464-62-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2464-63-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2464-64-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2464-65-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2464-67-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2464-68-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2428-82-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1208-81-0x0000000000270000-0x0000000000282000-memory.dmp

memory/1208-80-0x0000000000190000-0x0000000000192000-memory.dmp

memory/2464-83-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2464-86-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2464-87-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2428-102-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2428-101-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2648-97-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2648-96-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2648-103-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2428-104-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2464-105-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2464-106-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2464-123-0x00000000002F0000-0x00000000002F2000-memory.dmp

memory/2464-149-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2464-148-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 3af6a64d204753dfa940189d9feb6d05
SHA1 7eb14d47504da43fa34b6fc1d587a83b932020ac
SHA256 af5a9fd215803e2dc649c136beb49e11c60e821d031822689383a9b7f31b4de7
SHA512 1c1931c0b6be684d18c2ca11c537cfda12dc2ec3766443e3323664e88b0852184a08881338e809ab27b490873ba1970267eb720ef53849e0da70a2048e62e8c0

memory/2648-161-0x00000000009C0000-0x0000000001A7A000-memory.dmp

memory/2648-183-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2648-182-0x00000000009C0000-0x0000000001A7A000-memory.dmp

memory/2428-187-0x0000000000400000-0x0000000000412000-memory.dmp