Description	Indicator	Process	Target
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A

Sality

backdoor sality

UAC bypass

evasion trojan

Description	Indicator	Process	Target
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A

Windows security bypass

evasion trojan

Description	Indicator	Process	Target
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Windows security modification

evasion trojan

Description	Indicator	Process	Target
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A

Checks whether UAC is enabled

evasion trojan

Description	Indicator	Process	Target
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A

Enumerates connected drives

Description	Indicator	Process	Target
File opened (read-only)	\??\t:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\e:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\i:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\m:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\o:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\p:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\q:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\s:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\v:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\x:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\b:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\g:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\k:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\E:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\a:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\l:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\n:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\r:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\w:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\y:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\z:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\h:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\j:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
File opened (read-only)	\??\u:	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A

Writes to the Master Boot Record (MBR)

bootkit persistence

Description	Indicator	Process	Target
File opened for modification	\??\PhysicalDrive0	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A

Drops file in Windows directory

Description	Indicator	Process	Target
File opened for modification	C:\Windows\SYSTEM.INI	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware

Description	Indicator	Process	Target
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 809d8041c8bcda01	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000651fa33474a93a4bb75d072a06c68f2b0000000002000000000010660000000100002000000028d461b2aad6202396b79b72fc0484b573d29d5847827cd489506edd01c5ef69000000000e80000000020000200000003bdfb4514960bcd7e08c9dacff422a9367ab263c7c1ca06378095769882703769000000078c4e68245e6959dd50bcfbc877ef04711d08a49f53d07e01baf86929c2b9071f0afc7dc056aeb99a6231e4a02ac3f3d38a48885a31367adf0ec3b6caa3a7d2464c10f6495f92cd67e6ad28b1edf5b0d21352ccdbdb791d316c18a42a376e4de317ec837d05ec96d73158e4e6cb34343d1aa835cf26a15a141210c82b8f5a9cfa7eca5220ddba9dda12b0a78818663a940000000119bb973c6372b8a8b9810060603bc250881184aa2ee1d31e612413a61135fffb237ea64e222454eb4d99ad54b7c9fed333b81aae06e027c308c2fa8b943e379	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6C568E71-28BB-11EF-8F92-565622222C98} = "0"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000651fa33474a93a4bb75d072a06c68f2b00000000020000000000106600000001000020000000891e3a54015722ee63728fc84ac096c9f3edde09329443759908fcb20919ebce000000000e8000000002000020000000e1d6a4a8818d6c86dac6f346f8e66a64474d62f7339148606742053c7502ed5c20000000cac4d3284013cca4b8bb3a8ef3093bebebcbddf16070f031f38b33ebf6f7e44540000000789c6d9e123657573b0e43cc3f6a481706cab5ce3e2539ee4cba41587718b9fcede777ff8e41539f45243e889bcfaf2ded2883b07ab530dfb9f465b3e3ac4ebb	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424358959"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	C:\Program Files\Internet Explorer\iexplore.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A

Suspicious use of FindShellTrayWindow

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
N/A	N/A	C:\Program Files\Internet Explorer\iexplore.exe	N/A

Suspicious use of SendNotifyMessage

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A
N/A	N/A	C:\Program Files\Internet Explorer\iexplore.exe	N/A
N/A	N/A	C:\Program Files\Internet Explorer\iexplore.exe	N/A
N/A	N/A	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE	N/A
N/A	N/A	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE	N/A
N/A	N/A	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE	N/A
N/A	N/A	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2868 wrote to memory of 1040	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	C:\Windows\system32\Dwm.exe
PID 2868 wrote to memory of 1084	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	C:\Windows\Explorer.EXE
PID 2868 wrote to memory of 1092	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	C:\Windows\system32\taskhost.exe
PID 2868 wrote to memory of 1428	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	C:\Windows\system32\DllHost.exe
PID 2868 wrote to memory of 2564	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	C:\Program Files\Internet Explorer\iexplore.exe
PID 2868 wrote to memory of 2564	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	C:\Program Files\Internet Explorer\iexplore.exe
PID 2868 wrote to memory of 2564	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	C:\Program Files\Internet Explorer\iexplore.exe
PID 2868 wrote to memory of 2564	N/A	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	C:\Program Files\Internet Explorer\iexplore.exe
PID 2564 wrote to memory of 360	N/A	C:\Program Files\Internet Explorer\iexplore.exe	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2564 wrote to memory of 360	N/A	C:\Program Files\Internet Explorer\iexplore.exe	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2564 wrote to memory of 360	N/A	C:\Program Files\Internet Explorer\iexplore.exe	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2564 wrote to memory of 360	N/A	C:\Program Files\Internet Explorer\iexplore.exe	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

System policy modification

evasion

Description	Indicator	Process	Target
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	C:\Users\Admin\AppData\Local\Temp\aspweb88.exe	N/A

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\aspweb88.exe

"C:\Users\Admin\AppData\Local\Temp\aspweb88.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://127.0.0.1:88/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:275457 /prefetch:2

Network

Country	Destination	Domain	Proto
N/A	127.0.0.1:88		tcp
N/A	127.0.0.1:88		tcp
US	204.79.197.200:443	ieonline.microsoft.com	tcp
US	204.79.197.200:443	ieonline.microsoft.com	tcp
US	204.79.197.200:443	ieonline.microsoft.com	tcp

Files

memory/2868-0-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/2868-3-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2868-8-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2868-4-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2868-10-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2868-6-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2868-5-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2868-9-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2868-7-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2868-12-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2868-28-0x0000000000340000-0x0000000000342000-memory.dmp

memory/2868-11-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2868-31-0x0000000000340000-0x0000000000342000-memory.dmp

memory/2868-33-0x0000000074EE0000-0x0000000074EE9000-memory.dmp

memory/2868-32-0x0000000074EE1000-0x0000000074EE2000-memory.dmp

memory/2868-27-0x0000000000350000-0x0000000000351000-memory.dmp

memory/2868-25-0x0000000000350000-0x0000000000351000-memory.dmp

memory/2868-24-0x0000000000340000-0x0000000000342000-memory.dmp

memory/1040-14-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2868-13-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2868-34-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2868-37-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2868-36-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2868-39-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2868-56-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/2868-54-0x0000000074EE0000-0x0000000074EE9000-memory.dmp

memory/2868-48-0x0000000000340000-0x0000000000342000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab454C.tmp

MD5	ac05d27423a85adc1622c714f2cb6184
SHA1	b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256	c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512	6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab460A.tmp

MD5	49aebf8cbd62d92ac215b2923fb1b9f5
SHA1	1723be06719828dda65ad804298d0431f6aff976
SHA256	b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512	bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar461F.tmp

MD5	4ea6026cf93ec6338144661bf1202cd1
SHA1	a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256	8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512	6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b