Malware Analysis Report

2024-09-11 12:43

Sample ID 240611-evdknavbpp
Target e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6
SHA256 e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6

Threat Level: Known bad

The file e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Windows security bypass

UAC bypass

Sality

Modifies firewall policy service

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

Windows security modification

Executes dropped EXE

Loads dropped DLL

UPX packed file

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 04:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 04:15

Reported

2024-06-11 04:17

Platform

win10v2004-20240508-en

Max time kernel

22s

Max time network

100s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e576d31 C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
File created C:\Windows\e574297 C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2584 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\system32\fontdrvhost.exe
PID 2584 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\system32\fontdrvhost.exe
PID 2584 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\system32\dwm.exe
PID 2584 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\system32\sihost.exe
PID 2584 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\system32\svchost.exe
PID 2584 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\system32\taskhostw.exe
PID 2584 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\Explorer.EXE
PID 2584 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\system32\svchost.exe
PID 2584 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\system32\DllHost.exe
PID 2584 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2584 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\System32\RuntimeBroker.exe
PID 2584 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2584 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\System32\RuntimeBroker.exe
PID 2584 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2584 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\System32\RuntimeBroker.exe
PID 2584 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\System32\RuntimeBroker.exe
PID 2584 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2584 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2584 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2584 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 1408 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\fontdrvhost.exe
PID 1408 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\fontdrvhost.exe
PID 1408 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\dwm.exe
PID 1408 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\sihost.exe
PID 1408 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\svchost.exe
PID 1408 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\taskhostw.exe
PID 1408 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\Explorer.EXE
PID 1408 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\svchost.exe
PID 1408 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\DllHost.exe
PID 1408 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1408 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\System32\RuntimeBroker.exe
PID 1408 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1408 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\System32\RuntimeBroker.exe
PID 1408 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1408 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\System32\RuntimeBroker.exe
PID 1408 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\System32\RuntimeBroker.exe
PID 1408 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\System32\RuntimeBroker.exe
PID 1408 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\fontdrvhost.exe
PID 1408 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\fontdrvhost.exe
PID 1408 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\dwm.exe
PID 1408 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\sihost.exe
PID 1408 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\svchost.exe
PID 1408 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\taskhostw.exe
PID 1408 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\Explorer.EXE
PID 1408 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\svchost.exe
PID 1408 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\DllHost.exe
PID 1408 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1408 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\System32\RuntimeBroker.exe
PID 1408 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1408 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\System32\RuntimeBroker.exe
PID 1408 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1408 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\System32\RuntimeBroker.exe
PID 1408 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\System32\RuntimeBroker.exe
PID 1408 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe

"C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp

Files

memory/2584-0-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2584-1-0x00000000026C0000-0x000000000377A000-memory.dmp

memory/2584-4-0x00000000026C0000-0x000000000377A000-memory.dmp

memory/2584-6-0x00000000026C0000-0x000000000377A000-memory.dmp

memory/2584-10-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2584-9-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2584-7-0x00000000026C0000-0x000000000377A000-memory.dmp

memory/2584-16-0x00000000026C0000-0x000000000377A000-memory.dmp

memory/2584-17-0x00000000026C0000-0x000000000377A000-memory.dmp

memory/2584-20-0x00000000026C0000-0x000000000377A000-memory.dmp

memory/2584-19-0x00000000001E0000-0x00000000001E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 2569981f3c1ed36a7b1ed6f215e739a2
SHA1 de12426615e9d6d26ac67babcaca82351fdd7a54
SHA256 e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6
SHA512 93b26b7a164ca9b0e22ac192eda7266b9904f5ba762b96f6128185b496808a728b5ce11584a5dca2e87df56b3401afdab4f2264ffd0db704a32f0c2b84930dc0

memory/1408-42-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2584-21-0x00000000026C0000-0x000000000377A000-memory.dmp

memory/2584-45-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0E57474A_Rar\Au_.exe

MD5 a6a6ec93d611f8247a8198acbdead370
SHA1 bbb7c81157fff69d94f6122ea96f58bf01067bc0
SHA256 1825160a506ec596c02ab9869493671bd5c00118e602afc4a3c254a378c024c5
SHA512 b5fb1f27733e0817190c503e94fbbed5c20f986460141f9ca079326250df7adcfd1946e330fa28c703e88a81861312423af136914466d622920ce1092ccfe802

C:\Users\Admin\AppData\Local\Temp\nsf476B.tmp\LangDLL.dll

MD5 ccb909b48488ac50078b994947cf855c
SHA1 08ef6ff2b4df6de0bdc443611815a8db619b6c70
SHA256 32487e83679c88f63f35a9989e58ef3a3084bd70b6ebe76cda459c92ebf2c066
SHA512 ebe5dece02bd459d8d28457fe082bc759c21c0bb641ed31a848e2b521bfd9d2544585b0acbb1dfd08a5a9b91a91bba5aa5339c0f736fd153f852af17144caac8

C:\Users\Admin\AppData\Local\Temp\nsf476B.tmp\UAC.dll

MD5 e6ab90ea8f9454d4a8aed70eb924bb4a
SHA1 22d7c541e93e3d5520756047e3af0324af7640e5
SHA256 07ad34100502d7aebd8c19cf6fabda31814312984ae25d26b081ddebf3926077
SHA512 23953f4163afe3a2ebadbba03e7bec5bab10c8c112ab093e3893ec11d6d4232a526014f02db995b60f63b7cc8e49f2883a6e2112092176ccfa28a45f2397527a

memory/2584-32-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2584-18-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2584-8-0x00000000026C0000-0x000000000377A000-memory.dmp

memory/2584-3-0x00000000026C0000-0x000000000377A000-memory.dmp

memory/1408-59-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 c9c057671b5d097892c2971a35d69081
SHA1 c4ddda64e2a4c8b56d30de539ccc6074706d5876
SHA256 2473a94475bcbbe596e68b5200140a5a55cbbcd6371bf9d29ef2e0fcba3faaf7
SHA512 6748cdc7f49c78f6a75a8e27973debc287d81a0e85c2308d809ed67992c94259d7ba4c4cdf32b8bf5d3b912f5b0eeb2e6116a0d56c68528283b1433053f4abaa

memory/1408-77-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-76-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-60-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-79-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-80-0x0000000004450000-0x0000000004452000-memory.dmp

memory/1408-72-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-71-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-64-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-62-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-65-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-75-0x0000000004450000-0x0000000004452000-memory.dmp

memory/1408-74-0x0000000007880000-0x0000000007881000-memory.dmp

memory/1408-63-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-82-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-81-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-83-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-85-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-84-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-87-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-88-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-89-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-91-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-92-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-94-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-96-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1408-97-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-100-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-102-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-104-0x00000000056C0000-0x000000000677A000-memory.dmp

memory/1408-136-0x0000000004450000-0x0000000004452000-memory.dmp

memory/1408-135-0x00000000056C0000-0x000000000677A000-memory.dmp

C:\apvyp.pif

MD5 8531d1568a80550d6381a335cce9be54
SHA1 3da01594efc5acad03d7e830c31f0c825a8d542c
SHA256 f6487ed50319212417b9f4867bbbc3994093c2e9fafbae2919d12656fbe07925
SHA512 2b8b6f696cf950275d25323ae3fa7f5224636601ed5d14351b05c16cf7a992b25fd35f12815f712cba851e8e712dabaaff09724fc98092ca4db2cc9aba119e09

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-11 04:15

Reported

2024-06-11 04:17

Platform

win7-20240220-en

Max time kernel

140s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 2252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 2252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 2252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 2252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 2252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 2252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 2252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2252 wrote to memory of 1632 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2252 wrote to memory of 1632 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2252 wrote to memory of 1632 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2252 wrote to memory of 1632 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 224

Network

N/A

Files

memory/2252-0-0x000000006F100000-0x000000006F108000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 04:15

Reported

2024-06-11 04:17

Platform

win7-20240508-en

Max time kernel

9s

Max time network

16s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
File created C:\Windows\f762694 C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
File created C:\Windows\f762491 C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\system32\taskhost.exe
PID 1716 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\system32\Dwm.exe
PID 1716 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\Explorer.EXE
PID 1716 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Windows\system32\DllHost.exe
PID 1716 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 1716 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 1716 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 1716 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2740 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\taskhost.exe
PID 2740 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\Dwm.exe
PID 2740 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\Explorer.EXE
PID 2740 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe

"C:\Users\Admin\AppData\Local\Temp\e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

memory/1716-0-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1716-2-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/1716-5-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/1716-10-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/1716-11-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/1716-8-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/1716-4-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/1716-30-0x00000000031D0000-0x00000000031D2000-memory.dmp

memory/1716-34-0x00000000031D0000-0x00000000031D2000-memory.dmp

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 2569981f3c1ed36a7b1ed6f215e739a2
SHA1 de12426615e9d6d26ac67babcaca82351fdd7a54
SHA256 e1b2e96bb57c7afc2c5a7d4bf84a58d360e7363eaa71427d6360829130b1d7c6
SHA512 93b26b7a164ca9b0e22ac192eda7266b9904f5ba762b96f6128185b496808a728b5ce11584a5dca2e87df56b3401afdab4f2264ffd0db704a32f0c2b84930dc0

memory/1716-54-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/2740-69-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/2740-88-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/2740-90-0x00000000005D0000-0x00000000005D2000-memory.dmp

memory/2740-89-0x00000000005D0000-0x00000000005D2000-memory.dmp

memory/2740-60-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/2740-58-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/2740-68-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2740-67-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/2740-64-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/2740-65-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/2740-63-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/2740-62-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/2740-61-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/2740-59-0x0000000001F90000-0x000000000304A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 3f0cfb29d67bcda571fceea5dda4c66d
SHA1 04be8cb89cf0713752b57ac1dabc81029de722af
SHA256 df67707ca97de7da9067c5e6e089b8f927053aff534d60453791894ee568e824
SHA512 14ed52d62b018247a620fd78d05c7e432f865ac17146ede85a32208d8b06d547a62b0408018fe8576d021308d119205891c2eb8e1c151debf987607512746edd

memory/1716-53-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1716-44-0x00000000031D0000-0x00000000031D2000-memory.dmp

memory/2740-92-0x0000000001F90000-0x000000000304A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0F762CFA_Rar\Au_.exe

MD5 a6a6ec93d611f8247a8198acbdead370
SHA1 bbb7c81157fff69d94f6122ea96f58bf01067bc0
SHA256 1825160a506ec596c02ab9869493671bd5c00118e602afc4a3c254a378c024c5
SHA512 b5fb1f27733e0817190c503e94fbbed5c20f986460141f9ca079326250df7adcfd1946e330fa28c703e88a81861312423af136914466d622920ce1092ccfe802

memory/2740-91-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/1716-33-0x00000000047D0000-0x00000000047D1000-memory.dmp

memory/1716-31-0x00000000047D0000-0x00000000047D1000-memory.dmp

memory/1068-22-0x00000000020B0000-0x00000000020B2000-memory.dmp

memory/1716-12-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/1716-9-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/1716-7-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/1716-6-0x0000000001F90000-0x000000000304A000-memory.dmp

\Users\Admin\AppData\Local\Temp\nso2DE6.tmp\UAC.dll

MD5 e6ab90ea8f9454d4a8aed70eb924bb4a
SHA1 22d7c541e93e3d5520756047e3af0324af7640e5
SHA256 07ad34100502d7aebd8c19cf6fabda31814312984ae25d26b081ddebf3926077
SHA512 23953f4163afe3a2ebadbba03e7bec5bab10c8c112ab093e3893ec11d6d4232a526014f02db995b60f63b7cc8e49f2883a6e2112092176ccfa28a45f2397527a

\Users\Admin\AppData\Local\Temp\nso2DE6.tmp\LangDLL.dll

MD5 ccb909b48488ac50078b994947cf855c
SHA1 08ef6ff2b4df6de0bdc443611815a8db619b6c70
SHA256 32487e83679c88f63f35a9989e58ef3a3084bd70b6ebe76cda459c92ebf2c066
SHA512 ebe5dece02bd459d8d28457fe082bc759c21c0bb641ed31a848e2b521bfd9d2544585b0acbb1dfd08a5a9b91a91bba5aa5339c0f736fd153f852af17144caac8

memory/2740-106-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/2740-164-0x0000000001F90000-0x000000000304A000-memory.dmp

memory/2740-177-0x00000000005D0000-0x00000000005D2000-memory.dmp

C:\cqyul.pif

MD5 349538f30991173ed19c2df0a66b2bee
SHA1 f088820e92eabdebdf7561e3c99243062094ca03
SHA256 6973736dad19ae639f43c3e9a1e597ff341598e09d6d11e6c205313c2bd07635
SHA512 3daa3a3193e148cb4945b0f2d0aadcff749973ad2df8fbd97bf3c6659ec7726d807e1b25c74ce545d128d664dd300c4eb6cb2cb965b1e1ea749304809222956b

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-11 04:15

Reported

2024-06-11 04:17

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4828 wrote to memory of 3144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4828 wrote to memory of 3144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4828 wrote to memory of 3144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 48.110.63.41.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 6.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

memory/3144-0-0x000000006F100000-0x000000006F108000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-11 04:15

Reported

2024-06-11 04:17

Platform

win7-20240508-en

Max time kernel

140s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2372 wrote to memory of 1580 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2372 wrote to memory of 1580 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2372 wrote to memory of 1580 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2372 wrote to memory of 1580 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 224

Network

N/A

Files

memory/2372-0-0x000000006E5C0000-0x000000006E5CD000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-11 04:15

Reported

2024-06-11 04:17

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3716 wrote to memory of 3032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3716 wrote to memory of 3032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3716 wrote to memory of 3032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3032 -ip 3032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 612

Network

Files

memory/3032-0-0x000000006E5C0000-0x000000006E5CD000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-11 04:15

Reported

2024-06-11 04:17

Platform

win7-20240220-en

Max time kernel

140s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3056 wrote to memory of 2972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 3056 wrote to memory of 2972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 3056 wrote to memory of 2972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 3056 wrote to memory of 2972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 224

Network

N/A

Files

memory/3056-0-0x000000006A180000-0x000000006A190000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-11 04:15

Reported

2024-06-11 04:17

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3932 wrote to memory of 2460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3932 wrote to memory of 2460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3932 wrote to memory of 2460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2460 -ip 2460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 48.110.63.41.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 6.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/2460-0-0x000000006A180000-0x000000006A190000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-11 04:15

Reported

2024-06-11 04:17

Platform

win7-20240419-en

Max time kernel

140s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 1668 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2084 wrote to memory of 1668 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2084 wrote to memory of 1668 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2084 wrote to memory of 1668 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 244

Network

N/A

Files

memory/2084-0-0x000000006EB40000-0x000000006EB4A000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-11 04:15

Reported

2024-06-11 04:17

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3992 wrote to memory of 4324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3992 wrote to memory of 4324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3992 wrote to memory of 4324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4324 -ip 4324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 10.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 6.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4324-0-0x000000006EB40000-0x000000006EB4A000-memory.dmp