Malware Analysis Report

2024-09-11 12:28

Sample ID 240611-f4641awcpd
Target fc6068da5125ff7006287627e0b6eeaf8dc06bbf663f997eaa24f1672a2f4339
SHA256 fc6068da5125ff7006287627e0b6eeaf8dc06bbf663f997eaa24f1672a2f4339
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc6068da5125ff7006287627e0b6eeaf8dc06bbf663f997eaa24f1672a2f4339

Threat Level: Known bad

The file fc6068da5125ff7006287627e0b6eeaf8dc06bbf663f997eaa24f1672a2f4339 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

UAC bypass

Windows security bypass

Modifies firewall policy service

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX packed file

Loads dropped DLL

Windows security modification

Executes dropped EXE

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 05:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 05:26

Reported

2024-06-11 05:29

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f765409.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f7632c4 C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
File created C:\Windows\f768305 C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 3024 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763247.exe
PID 2364 wrote to memory of 3024 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763247.exe
PID 2364 wrote to memory of 3024 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763247.exe
PID 2364 wrote to memory of 3024 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763247.exe
PID 3024 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe C:\Windows\system32\taskhost.exe
PID 3024 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe C:\Windows\system32\Dwm.exe
PID 3024 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe C:\Windows\Explorer.EXE
PID 3024 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe C:\Windows\system32\DllHost.exe
PID 3024 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe C:\Windows\system32\rundll32.exe
PID 3024 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 2464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763498.exe
PID 2364 wrote to memory of 2464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763498.exe
PID 2364 wrote to memory of 2464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763498.exe
PID 2364 wrote to memory of 2464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763498.exe
PID 2364 wrote to memory of 2644 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f765409.exe
PID 2364 wrote to memory of 2644 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f765409.exe
PID 2364 wrote to memory of 2644 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f765409.exe
PID 2364 wrote to memory of 2644 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f765409.exe
PID 3024 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe C:\Windows\system32\taskhost.exe
PID 3024 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe C:\Windows\system32\Dwm.exe
PID 3024 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe C:\Windows\Explorer.EXE
PID 3024 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe C:\Users\Admin\AppData\Local\Temp\f763498.exe
PID 3024 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe C:\Users\Admin\AppData\Local\Temp\f763498.exe
PID 3024 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe C:\Users\Admin\AppData\Local\Temp\f765409.exe
PID 3024 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\f763247.exe C:\Users\Admin\AppData\Local\Temp\f765409.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763247.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc6068da5125ff7006287627e0b6eeaf8dc06bbf663f997eaa24f1672a2f4339.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc6068da5125ff7006287627e0b6eeaf8dc06bbf663f997eaa24f1672a2f4339.dll,#1

C:\Users\Admin\AppData\Local\Temp\f763247.exe

C:\Users\Admin\AppData\Local\Temp\f763247.exe

C:\Users\Admin\AppData\Local\Temp\f763498.exe

C:\Users\Admin\AppData\Local\Temp\f763498.exe

C:\Users\Admin\AppData\Local\Temp\f765409.exe

C:\Users\Admin\AppData\Local\Temp\f765409.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\f763247.exe

MD5 d0799ec23b3a5ccbcc057d23f722e9a6
SHA1 23dfb428ae22fcfe3269da56c23014872c4564e8
SHA256 a49408e46072765f6f15024c4fd483b9e28a905065b48950a7f78636cc127f8f
SHA512 ae2b09ab3db1685447df89a2158fb9c497ee0bef6cfffe4ea287546ff7462fd6f91d018b6658d0ec6bfc970f2004cd6168534e79a5374f6b4ac35c3d0f0b2d0f

memory/3024-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2364-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2364-8-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2364-7-0x0000000010000000-0x0000000010020000-memory.dmp

memory/3024-16-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3024-12-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3024-20-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3024-14-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/1056-28-0x00000000002D0000-0x00000000002D2000-memory.dmp

memory/3024-47-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

memory/2364-54-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/3024-45-0x0000000003D20000-0x0000000003D21000-memory.dmp

memory/2364-44-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2364-36-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2364-35-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/3024-22-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3024-21-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3024-19-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3024-18-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3024-17-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3024-15-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3024-56-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3024-57-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2464-61-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2364-60-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/2364-59-0x0000000000230000-0x0000000000242000-memory.dmp

memory/3024-58-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

memory/3024-62-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3024-63-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3024-64-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3024-66-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3024-67-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3024-68-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3024-69-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2644-82-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2364-81-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3024-86-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3024-85-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2464-104-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2464-103-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2644-102-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2644-101-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2644-100-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2464-95-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/3024-107-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3024-132-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3024-151-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3024-152-0x00000000005D0000-0x000000000168A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 def9f0dd411868390069284ef6e07a68
SHA1 4f0b474e88c51e8c9c378bc929c20f50af12bcda
SHA256 cc96e938055277a4f8bfa47d757ecf3a83c880b17e93804e396705e977ef8be0
SHA512 9d8a125b740b032cf4b24d0666e9f168617e410e8051116a34fb722630be8fab03b0d55d835c62b87ea1fa5e8e69f227c3af0c9396b5fe6196c9cedc3832adcf

memory/2464-164-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2464-178-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2464-177-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2644-182-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 05:26

Reported

2024-06-11 05:29

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

152s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58026c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e581f2b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e586d8a C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A
File created C:\Windows\e5801a1 C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4216 wrote to memory of 744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4216 wrote to memory of 744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4216 wrote to memory of 744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 744 wrote to memory of 1772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e580153.exe
PID 744 wrote to memory of 1772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e580153.exe
PID 744 wrote to memory of 1772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e580153.exe
PID 1772 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\system32\fontdrvhost.exe
PID 1772 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\system32\fontdrvhost.exe
PID 1772 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\system32\dwm.exe
PID 1772 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\system32\sihost.exe
PID 1772 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\system32\svchost.exe
PID 1772 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\system32\taskhostw.exe
PID 1772 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\Explorer.EXE
PID 1772 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\system32\svchost.exe
PID 1772 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\system32\DllHost.exe
PID 1772 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1772 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\System32\RuntimeBroker.exe
PID 1772 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1772 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\System32\RuntimeBroker.exe
PID 1772 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\System32\RuntimeBroker.exe
PID 1772 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1772 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1772 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1772 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1772 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1772 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1772 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1772 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\system32\rundll32.exe
PID 1772 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\SysWOW64\rundll32.exe
PID 1772 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\SysWOW64\rundll32.exe
PID 744 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e58026c.exe
PID 744 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e58026c.exe
PID 744 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e58026c.exe
PID 744 wrote to memory of 4044 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e581f1c.exe
PID 744 wrote to memory of 4044 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e581f1c.exe
PID 744 wrote to memory of 4044 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e581f1c.exe
PID 744 wrote to memory of 2604 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e581f2b.exe
PID 744 wrote to memory of 2604 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e581f2b.exe
PID 744 wrote to memory of 2604 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e581f2b.exe
PID 1772 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\system32\fontdrvhost.exe
PID 1772 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\system32\fontdrvhost.exe
PID 1772 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\system32\dwm.exe
PID 1772 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\system32\sihost.exe
PID 1772 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\system32\svchost.exe
PID 1772 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\system32\taskhostw.exe
PID 1772 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\Explorer.EXE
PID 1772 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\system32\svchost.exe
PID 1772 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\system32\DllHost.exe
PID 1772 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1772 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\System32\RuntimeBroker.exe
PID 1772 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1772 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\System32\RuntimeBroker.exe
PID 1772 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\System32\RuntimeBroker.exe
PID 1772 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1772 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1772 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1772 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1772 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1772 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1772 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Users\Admin\AppData\Local\Temp\e58026c.exe
PID 1772 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Users\Admin\AppData\Local\Temp\e58026c.exe
PID 1772 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\System32\RuntimeBroker.exe
PID 1772 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Windows\System32\RuntimeBroker.exe
PID 1772 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\e580153.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e580153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e581f1c.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x23c,0x240,0x244,0x238,0x214,0x7ffb386bceb8,0x7ffb386bcec4,0x7ffb386bced0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2336,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=2332 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1928,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=2380 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2356,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=2624 /prefetch:8

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc6068da5125ff7006287627e0b6eeaf8dc06bbf663f997eaa24f1672a2f4339.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc6068da5125ff7006287627e0b6eeaf8dc06bbf663f997eaa24f1672a2f4339.dll,#1

C:\Users\Admin\AppData\Local\Temp\e580153.exe

C:\Users\Admin\AppData\Local\Temp\e580153.exe

C:\Users\Admin\AppData\Local\Temp\e58026c.exe

C:\Users\Admin\AppData\Local\Temp\e58026c.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\e581f1c.exe

C:\Users\Admin\AppData\Local\Temp\e581f1c.exe

C:\Users\Admin\AppData\Local\Temp\e581f2b.exe

C:\Users\Admin\AppData\Local\Temp\e581f2b.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\e580153.exe

MD5 d0799ec23b3a5ccbcc057d23f722e9a6
SHA1 23dfb428ae22fcfe3269da56c23014872c4564e8
SHA256 a49408e46072765f6f15024c4fd483b9e28a905065b48950a7f78636cc127f8f
SHA512 ae2b09ab3db1685447df89a2158fb9c497ee0bef6cfffe4ea287546ff7462fd6f91d018b6658d0ec6bfc970f2004cd6168534e79a5374f6b4ac35c3d0f0b2d0f

memory/1772-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/744-0-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1772-6-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-8-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-12-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-10-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-11-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-13-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-32-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-30-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/744-29-0x0000000000D80000-0x0000000000D82000-memory.dmp

memory/1772-28-0x0000000003520000-0x0000000003522000-memory.dmp

memory/1772-26-0x0000000003520000-0x0000000003522000-memory.dmp

memory/1772-9-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/744-18-0x0000000000D80000-0x0000000000D82000-memory.dmp

memory/1772-17-0x0000000003E70000-0x0000000003E71000-memory.dmp

memory/744-15-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

memory/744-14-0x0000000000D80000-0x0000000000D82000-memory.dmp

memory/1772-34-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-33-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-36-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-35-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-37-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-38-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-39-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-41-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-42-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4044-52-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2604-55-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1772-56-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-58-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/2604-67-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4044-69-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2596-68-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2604-70-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2604-66-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4044-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4044-63-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2596-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2596-60-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1772-71-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-73-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-75-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-79-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-80-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-81-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-82-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-83-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-86-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-88-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-90-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-91-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1772-110-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2596-114-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 cfde2861495b9ed673cca7b32c098f40
SHA1 5332ba2c3fc9539174efa4f096b306d3d1c708df
SHA256 ed286e3d2eb9ca242a38d1e18e2aa5957ca448650baf6a4dfa2cc3fe8ac0232b
SHA512 ab2bb98ea5e52a6fb08f37b59a72b4f98a6785f6edaa44ce591de86f6ee864907e66f846fd66a8ee20abcbc628287d9aa245e9414e3f0315c97be212b8104b96

memory/4044-137-0x0000000000B90000-0x0000000001C4A000-memory.dmp

memory/4044-149-0x0000000000B90000-0x0000000001C4A000-memory.dmp

memory/2604-148-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4044-144-0x0000000000400000-0x0000000000412000-memory.dmp