Malware Analysis Report

2024-09-11 12:57

Sample ID 240612-h8jklsthje
Target fd8f2659b508fb97a152210d8b3750003d5bf169c3d8fd26be7716adcd692240
SHA256 fd8f2659b508fb97a152210d8b3750003d5bf169c3d8fd26be7716adcd692240
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd8f2659b508fb97a152210d8b3750003d5bf169c3d8fd26be7716adcd692240

Threat Level: Known bad

The file fd8f2659b508fb97a152210d8b3750003d5bf169c3d8fd26be7716adcd692240 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Sality

Windows security bypass

Modifies firewall policy service

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Windows security modification

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Unsigned PE

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-12 07:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 07:24

Reported

2024-06-12 07:26

Platform

win7-20240611-en

Max time kernel

121s

Max time network

125s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f767761 C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 3044 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767668.exe
PID 3024 wrote to memory of 3044 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767668.exe
PID 3024 wrote to memory of 3044 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767668.exe
PID 3024 wrote to memory of 3044 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767668.exe
PID 3044 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe C:\Windows\system32\taskhost.exe
PID 3044 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe C:\Windows\system32\Dwm.exe
PID 3044 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\f767668.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767668.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd8f2659b508fb97a152210d8b3750003d5bf169c3d8fd26be7716adcd692240.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd8f2659b508fb97a152210d8b3750003d5bf169c3d8fd26be7716adcd692240.dll,#1

C:\Users\Admin\AppData\Local\Temp\f767668.exe

C:\Users\Admin\AppData\Local\Temp\f767668.exe

Network

N/A

Files

memory/3024-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f767668.exe

MD5 da8cda47c28a5de6805497b8d82ded8d
SHA1 8558db0981f56a9c04296a0f66e69f0040f86743
SHA256 55d4289447060342bd294a69fcd97e3040e8eb543908ee4b1b24d2a4fcad491b
SHA512 31527570893125b987708653034a98e763fcad3fd624c9170dbf8104d9124a53227dac76e0a1fb52cadff4a85b61d470e7d9fb2541536eb5a43a4bc41e4c9ede

memory/3024-8-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3044-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3024-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3044-12-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3044-17-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3044-19-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3044-21-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3044-14-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3044-15-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3044-20-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3044-16-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3044-22-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3044-18-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3044-39-0x0000000002FF0000-0x0000000002FF2000-memory.dmp

memory/3044-38-0x0000000003E10000-0x0000000003E11000-memory.dmp

memory/3044-40-0x0000000002FF0000-0x0000000002FF2000-memory.dmp

memory/3044-35-0x0000000003E10000-0x0000000003E11000-memory.dmp

memory/3044-34-0x0000000002FF0000-0x0000000002FF2000-memory.dmp

memory/1188-28-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/3044-41-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3044-42-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3044-43-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3044-44-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3044-45-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3044-47-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3044-48-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3044-60-0x0000000002FF0000-0x0000000002FF2000-memory.dmp

memory/3044-67-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3044-68-0x0000000000520000-0x00000000015DA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 07:24

Reported

2024-06-12 07:26

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57ec44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57eb89 C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
File created C:\Windows\e584188 C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5096 wrote to memory of 5044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5096 wrote to memory of 5044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5096 wrote to memory of 5044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5044 wrote to memory of 3000 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe
PID 5044 wrote to memory of 3000 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe
PID 5044 wrote to memory of 3000 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe
PID 3000 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\fontdrvhost.exe
PID 3000 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\fontdrvhost.exe
PID 3000 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\dwm.exe
PID 3000 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\sihost.exe
PID 3000 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\svchost.exe
PID 3000 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\taskhostw.exe
PID 3000 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\Explorer.EXE
PID 3000 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\svchost.exe
PID 3000 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\DllHost.exe
PID 3000 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3000 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\System32\RuntimeBroker.exe
PID 3000 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3000 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\System32\RuntimeBroker.exe
PID 3000 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\System32\RuntimeBroker.exe
PID 3000 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3000 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3000 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3000 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3000 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3000 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3000 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3000 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\rundll32.exe
PID 3000 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\SysWOW64\rundll32.exe
PID 3000 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\SysWOW64\rundll32.exe
PID 5044 wrote to memory of 4364 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57ec44.exe
PID 5044 wrote to memory of 4364 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57ec44.exe
PID 5044 wrote to memory of 4364 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57ec44.exe
PID 3000 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\fontdrvhost.exe
PID 3000 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\fontdrvhost.exe
PID 3000 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\dwm.exe
PID 3000 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\sihost.exe
PID 3000 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\svchost.exe
PID 3000 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\taskhostw.exe
PID 3000 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\Explorer.EXE
PID 3000 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\svchost.exe
PID 3000 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\DllHost.exe
PID 3000 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3000 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\System32\RuntimeBroker.exe
PID 3000 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3000 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\System32\RuntimeBroker.exe
PID 3000 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\System32\RuntimeBroker.exe
PID 3000 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3000 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3000 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3000 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3000 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3000 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3000 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3000 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\rundll32.exe
PID 3000 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Users\Admin\AppData\Local\Temp\e57ec44.exe
PID 3000 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Users\Admin\AppData\Local\Temp\e57ec44.exe
PID 3000 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3000 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\System32\RuntimeBroker.exe
PID 3000 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\System32\RuntimeBroker.exe
PID 3000 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe C:\Windows\system32\DllHost.exe
PID 5044 wrote to memory of 4408 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e58195f.exe
PID 5044 wrote to memory of 4408 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e58195f.exe
PID 5044 wrote to memory of 4408 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e58195f.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e58195f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffc9f3dceb8,0x7ffc9f3dcec4,0x7ffc9f3dced0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2296,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=2292 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1872,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=2428 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2452,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=2432 /prefetch:8

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd8f2659b508fb97a152210d8b3750003d5bf169c3d8fd26be7716adcd692240.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd8f2659b508fb97a152210d8b3750003d5bf169c3d8fd26be7716adcd692240.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe

C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe

C:\Users\Admin\AppData\Local\Temp\e57ec44.exe

C:\Users\Admin\AppData\Local\Temp\e57ec44.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3760,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3808 /prefetch:8

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Local\Temp\e58195f.exe

C:\Users\Admin\AppData\Local\Temp\e58195f.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\e57eb3b.exe

MD5 da8cda47c28a5de6805497b8d82ded8d
SHA1 8558db0981f56a9c04296a0f66e69f0040f86743
SHA256 55d4289447060342bd294a69fcd97e3040e8eb543908ee4b1b24d2a4fcad491b
SHA512 31527570893125b987708653034a98e763fcad3fd624c9170dbf8104d9124a53227dac76e0a1fb52cadff4a85b61d470e7d9fb2541536eb5a43a4bc41e4c9ede

memory/5044-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/3000-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3000-8-0x0000000000780000-0x000000000183A000-memory.dmp

memory/5044-16-0x00000000009D0000-0x00000000009D2000-memory.dmp

memory/3000-32-0x0000000000670000-0x0000000000672000-memory.dmp

memory/3000-30-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3000-28-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4364-31-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3000-33-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3000-34-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3000-29-0x0000000000670000-0x0000000000672000-memory.dmp

memory/3000-10-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3000-17-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3000-20-0x0000000001B40000-0x0000000001B41000-memory.dmp

memory/5044-18-0x00000000009D0000-0x00000000009D2000-memory.dmp

memory/5044-13-0x0000000003C70000-0x0000000003C71000-memory.dmp

memory/5044-12-0x00000000009D0000-0x00000000009D2000-memory.dmp

memory/3000-11-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3000-6-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3000-36-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3000-35-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3000-37-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3000-38-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3000-39-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3000-40-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4364-44-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/4364-43-0x0000000000530000-0x0000000000531000-memory.dmp

memory/4364-45-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/3000-46-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4408-51-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3000-55-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3000-56-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3000-58-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3000-59-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3000-60-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3000-64-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3000-65-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3000-68-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3000-69-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4364-92-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3000-88-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3000-79-0x0000000000670000-0x0000000000672000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 60cb95f4f83976a970a626c6a8a7cccb
SHA1 70597a478e2a24fd82d200f2e8e662bd1267c6fc
SHA256 ae899b261e02938276da481ccc9b950fdf020d79dd0464e35cfe421fee26c4c3
SHA512 0ecac52f39a007602b378f0b225e463a032985d140951c96763e4ba88f2c5a0b34c595e3576025978cddffc90e29c37fac99dddec790a6182c46d494010ddc42

memory/4408-104-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4408-114-0x0000000004370000-0x0000000004371000-memory.dmp

memory/4408-113-0x00000000005E0000-0x00000000005E2000-memory.dmp

memory/4408-147-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4408-148-0x0000000000400000-0x0000000000412000-memory.dmp