Malware Analysis Report

2024-09-11 12:59

Sample ID 240614-adzpcawhqe
Target 724123971f59fbca6f274c35770934ca4845c6b3362c3e3ab5adf031f3f417ef
SHA256 724123971f59fbca6f274c35770934ca4845c6b3362c3e3ab5adf031f3f417ef
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

724123971f59fbca6f274c35770934ca4845c6b3362c3e3ab5adf031f3f417ef

Threat Level: Known bad

The file 724123971f59fbca6f274c35770934ca4845c6b3362c3e3ab5adf031f3f417ef was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Sality

Windows security bypass

Modifies firewall policy service

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Windows security modification

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 00:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 00:06

Reported

2024-06-14 00:09

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f761fef C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
File created C:\Windows\f767031 C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1500 wrote to memory of 2596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1500 wrote to memory of 2596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1500 wrote to memory of 2596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1500 wrote to memory of 2596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1500 wrote to memory of 2596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1500 wrote to memory of 2596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1500 wrote to memory of 2596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 2876 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761f92.exe
PID 2596 wrote to memory of 2876 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761f92.exe
PID 2596 wrote to memory of 2876 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761f92.exe
PID 2596 wrote to memory of 2876 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761f92.exe
PID 2876 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\system32\taskhost.exe
PID 2876 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\system32\Dwm.exe
PID 2876 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\Explorer.EXE
PID 2876 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\system32\DllHost.exe
PID 2876 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\system32\rundll32.exe
PID 2876 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\SysWOW64\rundll32.exe
PID 2876 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 2540 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762118.exe
PID 2596 wrote to memory of 2540 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762118.exe
PID 2596 wrote to memory of 2540 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762118.exe
PID 2596 wrote to memory of 2540 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762118.exe
PID 2596 wrote to memory of 2992 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763b5b.exe
PID 2596 wrote to memory of 2992 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763b5b.exe
PID 2596 wrote to memory of 2992 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763b5b.exe
PID 2596 wrote to memory of 2992 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763b5b.exe
PID 2876 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\system32\taskhost.exe
PID 2876 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\system32\Dwm.exe
PID 2876 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Windows\Explorer.EXE
PID 2876 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Users\Admin\AppData\Local\Temp\f762118.exe
PID 2876 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Users\Admin\AppData\Local\Temp\f762118.exe
PID 2876 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Users\Admin\AppData\Local\Temp\f763b5b.exe
PID 2876 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f761f92.exe C:\Users\Admin\AppData\Local\Temp\f763b5b.exe
PID 2992 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe C:\Windows\system32\taskhost.exe
PID 2992 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe C:\Windows\system32\Dwm.exe
PID 2992 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\f763b5b.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761f92.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\724123971f59fbca6f274c35770934ca4845c6b3362c3e3ab5adf031f3f417ef.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\724123971f59fbca6f274c35770934ca4845c6b3362c3e3ab5adf031f3f417ef.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761f92.exe

C:\Users\Admin\AppData\Local\Temp\f761f92.exe

C:\Users\Admin\AppData\Local\Temp\f762118.exe

C:\Users\Admin\AppData\Local\Temp\f762118.exe

C:\Users\Admin\AppData\Local\Temp\f763b5b.exe

C:\Users\Admin\AppData\Local\Temp\f763b5b.exe

Network

N/A

Files

memory/2596-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f761f92.exe

MD5 53ff378083c6954208051a6b7ffd9713
SHA1 3a4efe228ea2b501b02b4d6c2c865ca49ca0b01e
SHA256 1b9bda1736d6fe16b2acdf99515a0e9a69eaaf513294c01277c8a19e4ab97281
SHA512 83dfad88027500827cccfa02450e82c45188f4ae7f7ef32d4a93364dda98330fb1a35116448a28c135133fc842be48a165d34078101e2683f498e660369d352f

memory/2876-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2596-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2596-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2876-15-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2876-17-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2876-19-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2876-16-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2876-21-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2876-14-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2876-22-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2540-61-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2876-49-0x0000000003BD0000-0x0000000003BD2000-memory.dmp

memory/2876-47-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

memory/2596-46-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2876-23-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2596-38-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2596-37-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1116-29-0x0000000000410000-0x0000000000412000-memory.dmp

memory/2596-59-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2596-58-0x0000000000260000-0x0000000000272000-memory.dmp

memory/2876-57-0x0000000003BD0000-0x0000000003BD2000-memory.dmp

memory/2596-56-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2876-20-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2876-18-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2876-62-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2876-63-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2876-64-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2876-66-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2876-65-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2876-68-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2876-69-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2596-81-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2992-82-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2596-78-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2876-84-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2876-85-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2876-87-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2540-98-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2540-99-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2992-105-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2992-106-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2992-109-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2540-108-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2876-132-0x0000000003BD0000-0x0000000003BD2000-memory.dmp

memory/2876-157-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2876-158-0x00000000006E0000-0x000000000179A000-memory.dmp

memory/2540-162-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 f2e31afa002688c1c38ba3862b276442
SHA1 38a1281053057f9acb9521853b094163a2a626e2
SHA256 53ac8a433aca1c3314a36c0f8ec9a875d89673d979f135d8ea98ab2a1f041030
SHA512 fb9df3860a23134e75fd5d5b727e69fee1bfa693a514ca5aed593cc31e277703ef9c3824212ce976fea7c6acbca581d6706e916238c5d1240a2307cb6b0fb3c6

memory/2992-169-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2992-210-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2992-211-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 00:06

Reported

2024-06-14 00:09

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

148s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57fd9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57fcfd C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
File created C:\Windows\e584ce3 C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4044 wrote to memory of 4844 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4044 wrote to memory of 4844 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4044 wrote to memory of 4844 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4844 wrote to memory of 4180 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fc90.exe
PID 4844 wrote to memory of 4180 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fc90.exe
PID 4844 wrote to memory of 4180 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fc90.exe
PID 4180 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\system32\fontdrvhost.exe
PID 4180 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\system32\fontdrvhost.exe
PID 4180 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\system32\dwm.exe
PID 4180 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\system32\sihost.exe
PID 4180 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\system32\svchost.exe
PID 4180 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\system32\taskhostw.exe
PID 4180 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\system32\svchost.exe
PID 4180 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\system32\DllHost.exe
PID 4180 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4180 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\System32\RuntimeBroker.exe
PID 4180 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4180 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\System32\RuntimeBroker.exe
PID 4180 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\System32\RuntimeBroker.exe
PID 4180 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4180 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4180 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4180 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4180 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4180 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4180 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4180 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\system32\rundll32.exe
PID 4180 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\SysWOW64\rundll32.exe
PID 4180 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\SysWOW64\rundll32.exe
PID 4844 wrote to memory of 4488 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fd9a.exe
PID 4844 wrote to memory of 4488 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fd9a.exe
PID 4844 wrote to memory of 4488 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fd9a.exe
PID 4844 wrote to memory of 2196 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5823a0.exe
PID 4844 wrote to memory of 2196 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5823a0.exe
PID 4844 wrote to memory of 2196 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5823a0.exe
PID 4180 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\system32\fontdrvhost.exe
PID 4180 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\system32\fontdrvhost.exe
PID 4180 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\system32\dwm.exe
PID 4180 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\system32\sihost.exe
PID 4180 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\system32\svchost.exe
PID 4180 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\system32\taskhostw.exe
PID 4180 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\Explorer.EXE
PID 4180 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\system32\svchost.exe
PID 4180 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\system32\DllHost.exe
PID 4180 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4180 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\System32\RuntimeBroker.exe
PID 4180 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4180 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\System32\RuntimeBroker.exe
PID 4180 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\System32\RuntimeBroker.exe
PID 4180 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4180 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4180 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4180 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4180 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4180 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4180 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4180 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Users\Admin\AppData\Local\Temp\e57fd9a.exe
PID 4180 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Users\Admin\AppData\Local\Temp\e57fd9a.exe
PID 4180 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4180 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\System32\RuntimeBroker.exe
PID 4180 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Windows\System32\RuntimeBroker.exe
PID 4180 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Users\Admin\AppData\Local\Temp\e5823a0.exe
PID 4180 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e57fc90.exe C:\Users\Admin\AppData\Local\Temp\e5823a0.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57fc90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5823a0.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x25c,0x7fffde21ceb8,0x7fffde21cec4,0x7fffde21ced0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2276,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1836,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=2552 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1716,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=3440 /prefetch:8

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\724123971f59fbca6f274c35770934ca4845c6b3362c3e3ab5adf031f3f417ef.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\724123971f59fbca6f274c35770934ca4845c6b3362c3e3ab5adf031f3f417ef.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57fc90.exe

C:\Users\Admin\AppData\Local\Temp\e57fc90.exe

C:\Users\Admin\AppData\Local\Temp\e57fd9a.exe

C:\Users\Admin\AppData\Local\Temp\e57fd9a.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e5823a0.exe

C:\Users\Admin\AppData\Local\Temp\e5823a0.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4844-2-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57fc90.exe

MD5 53ff378083c6954208051a6b7ffd9713
SHA1 3a4efe228ea2b501b02b4d6c2c865ca49ca0b01e
SHA256 1b9bda1736d6fe16b2acdf99515a0e9a69eaaf513294c01277c8a19e4ab97281
SHA512 83dfad88027500827cccfa02450e82c45188f4ae7f7ef32d4a93364dda98330fb1a35116448a28c135133fc842be48a165d34078101e2683f498e660369d352f

memory/4180-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4180-6-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-8-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4844-15-0x0000000004190000-0x0000000004192000-memory.dmp

memory/4180-29-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-30-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4488-33-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4180-34-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-19-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-10-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-17-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4844-23-0x0000000004190000-0x0000000004192000-memory.dmp

memory/4180-22-0x0000000001AF0000-0x0000000001AF2000-memory.dmp

memory/4180-21-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-20-0x0000000001AF0000-0x0000000001AF2000-memory.dmp

memory/4180-14-0x0000000001B00000-0x0000000001B01000-memory.dmp

memory/4844-12-0x0000000004220000-0x0000000004221000-memory.dmp

memory/4844-11-0x0000000004190000-0x0000000004192000-memory.dmp

memory/4180-35-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-36-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-37-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-38-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-39-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-40-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/2196-49-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2196-53-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2196-55-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4488-54-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4488-51-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2196-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4488-56-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4180-58-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-59-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-60-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-62-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-64-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-65-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-66-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-69-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-72-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-83-0x0000000001AF0000-0x0000000001AF2000-memory.dmp

memory/4180-75-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-92-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 e2e82efd523408f70e49ac05c00e1ca4
SHA1 48d1b71bb624e6862647926f8241e20fb7ac7d1c
SHA256 4ead16935fa32e415d8d10dde8e397c399b5f38c64234283b2dd58b7b9cb8449
SHA512 b44de24df38116017b54e577c71840176074e1254b12838bdfd8d80a1eeb2e071d6d665ceb82133f5c672b263fdce6d988a36f3181c9d5b5dbb588cf09a7f63c

memory/4488-105-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2196-108-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/2196-144-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/2196-145-0x0000000000400000-0x0000000000412000-memory.dmp