Malware Analysis Report

2024-09-11 12:31

Sample ID 240611-nnct8avfqf
Target e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733
SHA256 e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733
Tags
sality backdoor upx evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733

Threat Level: Known bad

The file e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733 was found to be: Known bad.

Malicious Activity Summary

sality backdoor upx evasion trojan

Sality

Windows security bypass

Modifies firewall policy service

UAC bypass

Disables RegEdit via registry modification

Disables Task Manager via registry modification

UPX packed file

Deletes itself

Windows security modification

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 11:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 11:32

Reported

2024-06-11 11:34

Platform

win7-20240419-en

Max time kernel

149s

Max time network

120s

Command Line

C:\Windows\Explorer.EXE

Signatures

Sality

backdoor sality

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Mail\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Mail\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\be\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Defender\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Defender\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\MSBuild\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ie\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\plugin2\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2748 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\Logo1_.exe
PID 2748 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\Logo1_.exe
PID 2748 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\Logo1_.exe
PID 2748 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\Logo1_.exe
PID 2600 wrote to memory of 2740 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2600 wrote to memory of 2740 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2600 wrote to memory of 2740 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2600 wrote to memory of 2740 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2416 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe
PID 2416 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe
PID 2416 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe
PID 2416 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe
PID 2632 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2492 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2740 wrote to memory of 2492 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2740 wrote to memory of 2492 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2740 wrote to memory of 2492 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2600 wrote to memory of 1172 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1172 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe

"C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1C47.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe

"C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1D60.bat

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2748-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1C47.bat

MD5 e3069bc71811f3afae0be09e9375749b
SHA1 91b12422b4b5cd55e015695f8d95a3334dff295c
SHA256 a17669c413105819762ecea5a0e2fe33e427cbc50126615f5d23a89923d4925f
SHA512 aaab49c6ffa576e5b0bbc29ff876cd3739cede731b740e6adc4b9d57b68c43eed51060cd31763855d9f3a7d79f8dc79982574007dfaa25c4fdd6c23c019db149

memory/2748-16-0x0000000000220000-0x0000000000254000-memory.dmp

C:\Windows\Logo1_.exe

MD5 2da5a57d1ba2ed4b46bc3c9817948557
SHA1 8b28792220f874e0abd68de5d946c3ae111f6abb
SHA256 e3c3821d97d831fe32ef85bf7e78b397eba5cd839568aeae330e28e702eb662f
SHA512 29940a2b80714d8f816a0d6b4f5d93cfb4aeae5e0303f6f06d5091a3e0dc405ae1a1def41ea5e2e709ed6c20d4f4fd8f1d9527ca6eb4eb6d6cf1bc5fce4a7e91

memory/2600-20-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2748-18-0x0000000000220000-0x0000000000254000-memory.dmp

memory/2748-17-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe.exe

MD5 19ec34d3911d99d2bc17d80dc489d6dd
SHA1 25d53157403442255273d60d80933990198dcfe1
SHA256 637a5d19ce49551dcc9110db42c35101d4d99a7b225f089623901700b08f2bc7
SHA512 3877a10d11d9976b2391ff9567faa3f1557c4002dd1932e712702816a6bc6a9f3c5cdd351bb6ebb7e8494a2885b070d79c4bc91917a11ffa9850b9e51e29902a

memory/2632-33-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2416-32-0x0000000002280000-0x00000000022C5000-memory.dmp

memory/2416-31-0x0000000002280000-0x00000000022C5000-memory.dmp

C:\Windows\rundl132.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\$$a1D60.bat

MD5 6c355ec94b84f6ffe0ee0af951180357
SHA1 9e04abbd0cd7c426bda974a98fe173cb9df411a9
SHA256 67710ac9d680af92c314140e457033df473d8dd04769f5e4ce9433d09577930a
SHA512 d4503fb6c38487a1989eea8f4bf2e2d27532d9f974014c90cc6986a524067516c3741ed7a59ef0f1b62c2c773ab5d8d6cf7b485872922cda7dde42bb00577917

memory/2632-45-0x00000000005C0000-0x000000000164E000-memory.dmp

memory/2632-46-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe.exe

MD5 881b4c778ca2c7a349ada53faef34aae
SHA1 6385ad17f7b73cf1a7e68daa606c5beefc59d5b3
SHA256 5e5c0542f5481f5fd9352549f670039429a66cf5a228a11b78b5939a5aeeccc0
SHA512 fc971c8c57a8d667947addeccc2c112b82081b8afe11c785acce370efba5dea158d6654f731df4063d9fc1d66b55046bd64915f92c92f497b274682727bd30c6

memory/1172-85-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

memory/2600-91-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\_desktop.ini

MD5 3b22ce0fee2d1aaf2c66dcd142740e29
SHA1 94d542b4bb9854a9419753c38e6ffe747653d91c
SHA256 8284772f28954a109c16f1583e6e34e29f06673b34e04f268bda961b57ba9f79
SHA512 efd4900a49624170e51ea401f0845634f49484a49335845258dc3d41a12e2022bf413a6751fcbcfd1ec68cde506f3363beae57f20e8eaca8b214d28baa138c5b

memory/2600-98-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2600-104-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2600-150-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2600-156-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2600-1127-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2600-1934-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 5725841defcb7e0548144bdc53e0b867
SHA1 dd8c3c919b9ee5d068c5c42ba049cc2898add5c5
SHA256 7a1876d6402a6e910fe1ace26d0fc6a0ae27599d0258f9352f6b81bc2b4b72a3
SHA512 de6785d1de40c6b86ec99918bd3b0e884a81377ad1d353799cd34a3399cde727ccbcd48af0880cd5f48ee9ef1bb98fa8f870a83c38f8b9aea77cbea2ade0331c

memory/2600-2526-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2600-3394-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 4cfdb20b04aa239d6f9e83084d5d0a77
SHA1 f22863e04cc1fd4435f785993ede165bd8245ac6
SHA256 30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA512 35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 11:32

Reported

2024-06-11 11:34

Platform

win10v2004-20240508-en

Max time kernel

22s

Max time network

57s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\Logo1_.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\Logo1_.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Windows\Logo1_.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Logo1_.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\Logo1_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\Logo1_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\Logo1_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\Logo1_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\Logo1_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\Logo1_.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Windows\Logo1_.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\Logo1_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\Logo1_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\Logo1_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Windows\Logo1_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\Logo1_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\Logo1_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\Logo1_.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Logo1_.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 972 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\Logo1_.exe
PID 972 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\Logo1_.exe
PID 972 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\Logo1_.exe
PID 1652 wrote to memory of 3304 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1652 wrote to memory of 3304 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1652 wrote to memory of 3304 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3304 wrote to memory of 3344 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3304 wrote to memory of 3344 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3304 wrote to memory of 3344 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5116 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe
PID 5116 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe
PID 5116 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe
PID 4856 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\system32\fontdrvhost.exe
PID 4856 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\system32\fontdrvhost.exe
PID 4856 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\system32\dwm.exe
PID 4856 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\system32\sihost.exe
PID 4856 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\system32\svchost.exe
PID 4856 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\system32\taskhostw.exe
PID 4856 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\Explorer.EXE
PID 4856 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\system32\svchost.exe
PID 4856 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\system32\DllHost.exe
PID 4856 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4856 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\System32\RuntimeBroker.exe
PID 4856 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4856 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\System32\RuntimeBroker.exe
PID 4856 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\System32\RuntimeBroker.exe
PID 4856 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4856 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4856 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\Logo1_.exe
PID 4856 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\Logo1_.exe
PID 4856 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\System32\Conhost.exe
PID 4856 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe C:\Windows\SysWOW64\cmd.exe
PID 5116 wrote to memory of 792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\fontdrvhost.exe
PID 5116 wrote to memory of 796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\fontdrvhost.exe
PID 5116 wrote to memory of 60 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\dwm.exe
PID 5116 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\sihost.exe
PID 5116 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\svchost.exe
PID 5116 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\taskhostw.exe
PID 5116 wrote to memory of 3404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Explorer.EXE
PID 5116 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\svchost.exe
PID 5116 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\DllHost.exe
PID 5116 wrote to memory of 3860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 5116 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\RuntimeBroker.exe
PID 5116 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 5116 wrote to memory of 3808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\RuntimeBroker.exe
PID 5116 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\RuntimeBroker.exe
PID 5116 wrote to memory of 4832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 5116 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\backgroundTaskHost.exe
PID 5116 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 5116 wrote to memory of 3240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 1652 wrote to memory of 3404 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1652 wrote to memory of 3404 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1652 wrote to memory of 792 N/A C:\Windows\Logo1_.exe C:\Windows\system32\fontdrvhost.exe
PID 1652 wrote to memory of 796 N/A C:\Windows\Logo1_.exe C:\Windows\system32\fontdrvhost.exe
PID 1652 wrote to memory of 60 N/A C:\Windows\Logo1_.exe C:\Windows\system32\dwm.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Logo1_.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe

"C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4258.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe

"C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a446B.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\explorer.exe

explorer.exe /LOADSAVEDWINDOWS

Network

Files

memory/972-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\Logo1_.exe

MD5 2da5a57d1ba2ed4b46bc3c9817948557
SHA1 8b28792220f874e0abd68de5d946c3ae111f6abb
SHA256 e3c3821d97d831fe32ef85bf7e78b397eba5cd839568aeae330e28e702eb662f
SHA512 29940a2b80714d8f816a0d6b4f5d93cfb4aeae5e0303f6f06d5091a3e0dc405ae1a1def41ea5e2e709ed6c20d4f4fd8f1d9527ca6eb4eb6d6cf1bc5fce4a7e91

memory/972-9-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1652-10-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4258.bat

MD5 d1e92ef68386fc4da82cfb9664de671c
SHA1 3f9e880950fc99a7bb69f26c41fa053cdd3b891c
SHA256 b4142e42bdd96620a568a34ca4adf7be4fa9c4c370036c541c2029daf6779656
SHA512 fdf7f68769ac812fcd105de4f1d5e3d6b3c0186b8086f57c71e4c82f6d3ea1cabc78c734b185f0cf8555e1f0fcbd4590a07307cb6e720770a4fec20b28de8514

C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe.exe

MD5 19ec34d3911d99d2bc17d80dc489d6dd
SHA1 25d53157403442255273d60d80933990198dcfe1
SHA256 637a5d19ce49551dcc9110db42c35101d4d99a7b225f089623901700b08f2bc7
SHA512 3877a10d11d9976b2391ff9567faa3f1557c4002dd1932e712702816a6bc6a9f3c5cdd351bb6ebb7e8494a2885b070d79c4bc91917a11ffa9850b9e51e29902a

memory/4856-19-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4856-20-0x00000000007D0000-0x000000000185E000-memory.dmp

memory/4856-22-0x00000000007D0000-0x000000000185E000-memory.dmp

C:\Windows\rundl132.exe

MD5 055f70445f6dddd4fd54325e43a372b7
SHA1 469be276e147c951ff312635bb5524b906446b5c
SHA256 294ad9df8298de59c862731e5255ba3ad589baa36d58f58c9098a98c2914a2c4
SHA512 f8fb98cc67a241394541ea93733962565ee240727e44de93c21bce41cb8e5ed4f2c8e4b30ddbeb4a31d5b083fcdd809a9fb5549c2d16032b9bb06cc732a7627a

memory/4856-23-0x00000000007D0000-0x000000000185E000-memory.dmp

memory/4968-38-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1652-39-0x0000000000580000-0x0000000000582000-memory.dmp

memory/4856-36-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

memory/1652-34-0x0000000000600000-0x0000000000601000-memory.dmp

memory/1652-33-0x0000000000580000-0x0000000000582000-memory.dmp

memory/5116-31-0x0000000000580000-0x0000000000581000-memory.dmp

memory/4856-24-0x00000000007D0000-0x000000000185E000-memory.dmp

memory/5116-30-0x0000000000570000-0x0000000000572000-memory.dmp

memory/4856-42-0x00000000019E0000-0x00000000019E2000-memory.dmp

memory/4856-43-0x00000000007D0000-0x000000000185E000-memory.dmp

memory/4856-40-0x00000000007D0000-0x000000000185E000-memory.dmp

memory/4856-44-0x00000000019E0000-0x00000000019E2000-memory.dmp

memory/4856-52-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5116-53-0x0000000000570000-0x0000000000572000-memory.dmp

memory/5116-55-0x0000000000570000-0x0000000000572000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 d2a15f027c05adc555c1547744706c9a
SHA1 22fe6d84fbfd67cef7cff85f4403a2b704376a6a
SHA256 45f451a0741d497933f9132636b95ca2f44289396836f78e0316430056d22297
SHA512 7c6c0bb6658d0ddb941b632d19a4b01a95193eb415ab9222f613a91be6488c9d631e9bc3176735f83901853a103783adc4cecbb995db25f7a76c191305032e83

memory/5116-54-0x00000000012E0000-0x000000000236E000-memory.dmp

memory/5116-57-0x00000000012E0000-0x000000000236E000-memory.dmp

memory/5116-58-0x00000000012E0000-0x000000000236E000-memory.dmp

memory/5116-59-0x00000000012E0000-0x000000000236E000-memory.dmp

memory/5116-60-0x00000000012E0000-0x000000000236E000-memory.dmp

memory/4968-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4968-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/5116-61-0x00000000012E0000-0x000000000236E000-memory.dmp

memory/5116-64-0x00000000012E0000-0x000000000236E000-memory.dmp

memory/5116-65-0x00000000012E0000-0x000000000236E000-memory.dmp

memory/5116-66-0x00000000012E0000-0x000000000236E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5119f2fb40643cae2fc6626d851394a746fd73a52ea4152708501de6af09733.exe.exe

MD5 881b4c778ca2c7a349ada53faef34aae
SHA1 6385ad17f7b73cf1a7e68daa606c5beefc59d5b3
SHA256 5e5c0542f5481f5fd9352549f670039429a66cf5a228a11b78b5939a5aeeccc0
SHA512 fc971c8c57a8d667947addeccc2c112b82081b8afe11c785acce370efba5dea158d6654f731df4063d9fc1d66b55046bd64915f92c92f497b274682727bd30c6

C:\Users\Admin\AppData\Local\Temp\$$a446B.bat

MD5 96360227fb06bc66d47d92d4a9eab87a
SHA1 1250bfa0febf7c938e83c0472360e1661fe1b354
SHA256 61b239a99f77a4df935210aa82af70a3fb373f7a014c98a193da83ec0ec62e53
SHA512 146311774aac6de5c7d68cbc546cf01c9a1b8ff0bd122acb28b62d47cc5c55b3033c63cec9c4936f03fcf7859fcc6c7dd5c03b59a98ac8eced4c6a90405dcd40

memory/5116-69-0x00000000012E0000-0x000000000236E000-memory.dmp

memory/1652-83-0x00000000033E0000-0x000000000446E000-memory.dmp

memory/1652-81-0x00000000033E0000-0x000000000446E000-memory.dmp

memory/1652-84-0x00000000033E0000-0x000000000446E000-memory.dmp

memory/1652-87-0x00000000033E0000-0x000000000446E000-memory.dmp

memory/1652-89-0x00000000033E0000-0x000000000446E000-memory.dmp

memory/1652-88-0x00000000033E0000-0x000000000446E000-memory.dmp

memory/1652-86-0x00000000033E0000-0x000000000446E000-memory.dmp

memory/1652-85-0x00000000033E0000-0x000000000446E000-memory.dmp

memory/1652-82-0x00000000033E0000-0x000000000446E000-memory.dmp

memory/1652-90-0x00000000033E0000-0x000000000446E000-memory.dmp

memory/1652-91-0x00000000033E0000-0x000000000446E000-memory.dmp

memory/1652-92-0x00000000033E0000-0x000000000446E000-memory.dmp

memory/1652-94-0x00000000033E0000-0x000000000446E000-memory.dmp

memory/1652-93-0x00000000033E0000-0x000000000446E000-memory.dmp

memory/1652-95-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini

MD5 3b22ce0fee2d1aaf2c66dcd142740e29
SHA1 94d542b4bb9854a9419753c38e6ffe747653d91c
SHA256 8284772f28954a109c16f1583e6e34e29f06673b34e04f268bda961b57ba9f79
SHA512 efd4900a49624170e51ea401f0845634f49484a49335845258dc3d41a12e2022bf413a6751fcbcfd1ec68cde506f3363beae57f20e8eaca8b214d28baa138c5b

memory/1652-144-0x0000000000580000-0x0000000000582000-memory.dmp

memory/4968-159-0x00000000001E0000-0x00000000001E2000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 8bbc9df9a5073c867871e7d66f2bdc49
SHA1 5ba2b71158fd38ab467b6be2bec0b83e88ff4aad
SHA256 e531dd4879c8974a4e0b01217a716c4639cdea86ff2cd157c76f78c246674b79
SHA512 3aa5b9dd2fb9a7913b9be69d4e9ec840ace04fdbfa2acf2f08a383fed9f491e31136b4b49b87dd38dd2ce1615bae99006ae0e138130df30f7e85226d460e367d

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 5725841defcb7e0548144bdc53e0b867
SHA1 dd8c3c919b9ee5d068c5c42ba049cc2898add5c5
SHA256 7a1876d6402a6e910fe1ace26d0fc6a0ae27599d0258f9352f6b81bc2b4b72a3
SHA512 de6785d1de40c6b86ec99918bd3b0e884a81377ad1d353799cd34a3399cde727ccbcd48af0880cd5f48ee9ef1bb98fa8f870a83c38f8b9aea77cbea2ade0331c

memory/1652-4926-0x0000000000400000-0x0000000000434000-memory.dmp