Malware Analysis Report

2024-09-11 12:22

Sample ID 240614-arr7es1elm
Target 7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa
SHA256 7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa
Tags
sality backdoor evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa

Threat Level: Known bad

The file 7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion persistence trojan upx

Sality

Modifies firewall policy service

Windows security bypass

UAC bypass

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Executes dropped EXE

Windows security modification

Deletes itself

UPX packed file

Checks whether UAC is enabled

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 00:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 00:27

Reported

2024-06-14 00:29

Platform

win10v2004-20240611-en

Max time kernel

27s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Windows\svchost.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\svchost.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\(Default) = "C:\\Windows\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\(Default) = "C:\\Windows\\svchost.exe" C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CPQEASYBTTN = "C:\\Windows\\System32\\BttnServ.exe" C:\Windows\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\svchost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\svchost.exe N/A
File opened (read-only) \??\J: C:\Windows\svchost.exe N/A
File opened (read-only) \??\L: C:\Windows\svchost.exe N/A
File opened (read-only) \??\K: C:\Windows\svchost.exe N/A
File opened (read-only) \??\M: C:\Windows\svchost.exe N/A
File opened (read-only) \??\N: C:\Windows\svchost.exe N/A
File opened (read-only) \??\G: C:\Windows\svchost.exe N/A
File opened (read-only) \??\H: C:\Windows\svchost.exe N/A
File opened (read-only) \??\I: C:\Windows\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\BttnServ.exe C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
File opened for modification C:\Windows\SysWOW64\BttnServ.exe C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
File opened for modification C:\Windows\SysWOW64\BttnServ.exe C:\Windows\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Windows\svchost.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Windows\svchost.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Windows\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
N/A N/A C:\Windows\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4360 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\system32\fontdrvhost.exe
PID 4360 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\system32\fontdrvhost.exe
PID 4360 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\system32\dwm.exe
PID 4360 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\system32\sihost.exe
PID 4360 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\system32\svchost.exe
PID 4360 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\system32\taskhostw.exe
PID 4360 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\Explorer.EXE
PID 4360 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\system32\svchost.exe
PID 4360 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\system32\DllHost.exe
PID 4360 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4360 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\System32\RuntimeBroker.exe
PID 4360 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4360 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\System32\RuntimeBroker.exe
PID 4360 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4360 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\System32\RuntimeBroker.exe
PID 4360 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4360 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4360 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\svchost.exe
PID 4360 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\svchost.exe
PID 4360 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\svchost.exe
PID 3264 wrote to memory of 796 N/A C:\Windows\svchost.exe C:\Windows\system32\fontdrvhost.exe
PID 3264 wrote to memory of 792 N/A C:\Windows\svchost.exe C:\Windows\system32\fontdrvhost.exe
PID 3264 wrote to memory of 336 N/A C:\Windows\svchost.exe C:\Windows\system32\dwm.exe
PID 3264 wrote to memory of 3004 N/A C:\Windows\svchost.exe C:\Windows\system32\sihost.exe
PID 3264 wrote to memory of 3068 N/A C:\Windows\svchost.exe C:\Windows\system32\svchost.exe
PID 3264 wrote to memory of 3076 N/A C:\Windows\svchost.exe C:\Windows\system32\taskhostw.exe
PID 3264 wrote to memory of 3480 N/A C:\Windows\svchost.exe C:\Windows\Explorer.EXE
PID 3264 wrote to memory of 3632 N/A C:\Windows\svchost.exe C:\Windows\system32\svchost.exe
PID 3264 wrote to memory of 3820 N/A C:\Windows\svchost.exe C:\Windows\system32\DllHost.exe
PID 3264 wrote to memory of 3932 N/A C:\Windows\svchost.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3264 wrote to memory of 3996 N/A C:\Windows\svchost.exe C:\Windows\System32\RuntimeBroker.exe
PID 3264 wrote to memory of 4088 N/A C:\Windows\svchost.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3264 wrote to memory of 4168 N/A C:\Windows\svchost.exe C:\Windows\System32\RuntimeBroker.exe
PID 3264 wrote to memory of 844 N/A C:\Windows\svchost.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3264 wrote to memory of 4960 N/A C:\Windows\svchost.exe C:\Windows\System32\RuntimeBroker.exe
PID 3264 wrote to memory of 64 N/A C:\Windows\svchost.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3264 wrote to memory of 4192 N/A C:\Windows\svchost.exe C:\Windows\System32\RuntimeBroker.exe
PID 3264 wrote to memory of 1060 N/A C:\Windows\svchost.exe C:\Windows\System32\RuntimeBroker.exe
PID 3264 wrote to memory of 796 N/A C:\Windows\svchost.exe C:\Windows\system32\fontdrvhost.exe
PID 3264 wrote to memory of 792 N/A C:\Windows\svchost.exe C:\Windows\system32\fontdrvhost.exe
PID 3264 wrote to memory of 336 N/A C:\Windows\svchost.exe C:\Windows\system32\dwm.exe
PID 3264 wrote to memory of 3004 N/A C:\Windows\svchost.exe C:\Windows\system32\sihost.exe
PID 3264 wrote to memory of 3068 N/A C:\Windows\svchost.exe C:\Windows\system32\svchost.exe
PID 3264 wrote to memory of 3076 N/A C:\Windows\svchost.exe C:\Windows\system32\taskhostw.exe
PID 3264 wrote to memory of 3480 N/A C:\Windows\svchost.exe C:\Windows\Explorer.EXE
PID 3264 wrote to memory of 3632 N/A C:\Windows\svchost.exe C:\Windows\system32\svchost.exe
PID 3264 wrote to memory of 3820 N/A C:\Windows\svchost.exe C:\Windows\system32\DllHost.exe
PID 3264 wrote to memory of 3932 N/A C:\Windows\svchost.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3264 wrote to memory of 3996 N/A C:\Windows\svchost.exe C:\Windows\System32\RuntimeBroker.exe
PID 3264 wrote to memory of 4088 N/A C:\Windows\svchost.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3264 wrote to memory of 4168 N/A C:\Windows\svchost.exe C:\Windows\System32\RuntimeBroker.exe
PID 3264 wrote to memory of 844 N/A C:\Windows\svchost.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3264 wrote to memory of 4960 N/A C:\Windows\svchost.exe C:\Windows\System32\RuntimeBroker.exe
PID 3264 wrote to memory of 64 N/A C:\Windows\svchost.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3264 wrote to memory of 4192 N/A C:\Windows\svchost.exe C:\Windows\System32\RuntimeBroker.exe
PID 3264 wrote to memory of 1060 N/A C:\Windows\svchost.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\svchost.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe

"C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe"

C:\Windows\svchost.exe

C:\Windows\svchost.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4360-0-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4360-1-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

memory/4360-5-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

memory/4360-10-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

memory/4360-15-0x00000000004E0000-0x00000000004E2000-memory.dmp

memory/4360-7-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

memory/4360-13-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

C:\Windows\svchost.exe

MD5 5e4e5a7e4ed1aaf78dd88893fffec4d6
SHA1 61e00eb3be307cef8fd4993a250dc9b944e434df
SHA256 7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa
SHA512 3c75dd1ccd7738a518333f91f2022da2a225c3b97e623e06c5fa4180d2d5304db61b5c18386617dd5016c3c46bfbaf0f587f47ab7391bbcac65c959a2b51f821

memory/4360-14-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

memory/4360-33-0x00000000004E0000-0x00000000004E2000-memory.dmp

memory/4360-35-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

memory/4360-44-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3264-26-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4360-12-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

memory/4360-17-0x00000000004E0000-0x00000000004E2000-memory.dmp

memory/4360-4-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

memory/4360-9-0x0000000000540000-0x0000000000541000-memory.dmp

memory/4360-8-0x00000000004E0000-0x00000000004E2000-memory.dmp

memory/4360-6-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

memory/3264-51-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-54-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-53-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-57-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-59-0x00000000066D0000-0x00000000066D2000-memory.dmp

memory/3264-58-0x00000000066D0000-0x00000000066D2000-memory.dmp

memory/3264-56-0x0000000006820000-0x0000000006821000-memory.dmp

memory/3264-52-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-49-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-45-0x0000000004FB0000-0x000000000603E000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 1205ab1fa6fce7e3152bc81bd4b66873
SHA1 5a57e58801d9d77fb76628b04901b33b1ba5e147
SHA256 c62dd8df923d0d072072095553a8a06c98fdcc834fe5cbb7198a443ff9e1462f
SHA512 08d906c90bb6198558ff469675febcaab6fbed9a418508dcca3ff8ddce0d2b9764ceb91cea7834d6be965fe000b04f61e75f0f8ad759cd542ea9a3d170905d24

memory/3264-48-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-47-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-50-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-60-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-61-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-62-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-63-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-64-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-66-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-67-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-68-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-69-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-71-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-72-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-75-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-77-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-80-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-82-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-83-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-86-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-87-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-117-0x0000000004FB0000-0x000000000603E000-memory.dmp

memory/3264-118-0x00000000066D0000-0x00000000066D2000-memory.dmp

C:\xdcq.exe

MD5 a7e644a27ac73f7a6c17a385a124ba70
SHA1 b2dc631cb4376d48750731a4f9d053d19337a7db
SHA256 98389bcae8e041410ac16994617f2bcf123c14c0f07bc7e881cd22ef01627176
SHA512 45c6e6fc5a68bbbb49847f933331ee65499b44f9cd3c16629e4a49ea919aee83bb49369e344f9bdae116268019a947461333d299904de5233634ce1d94708ad9

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 00:27

Reported

2024-06-14 00:29

Platform

win7-20231129-en

Max time kernel

27s

Max time network

118s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Windows\svchost.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\svchost.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\svchost.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Windows\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\(Default) = "C:\\Windows\\svchost.exe" C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CPQEASYBTTN = "C:\\Windows\\System32\\BttnServ.exe" C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\(Default) = "C:\\Windows\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\svchost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\svchost.exe N/A
File opened (read-only) \??\K: C:\Windows\svchost.exe N/A
File opened (read-only) \??\J: C:\Windows\svchost.exe N/A
File opened (read-only) \??\M: C:\Windows\svchost.exe N/A
File opened (read-only) \??\P: C:\Windows\svchost.exe N/A
File opened (read-only) \??\R: C:\Windows\svchost.exe N/A
File opened (read-only) \??\G: C:\Windows\svchost.exe N/A
File opened (read-only) \??\L: C:\Windows\svchost.exe N/A
File opened (read-only) \??\O: C:\Windows\svchost.exe N/A
File opened (read-only) \??\Q: C:\Windows\svchost.exe N/A
File opened (read-only) \??\E: C:\Windows\svchost.exe N/A
File opened (read-only) \??\H: C:\Windows\svchost.exe N/A
File opened (read-only) \??\N: C:\Windows\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\BttnServ.exe C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
File opened for modification C:\Windows\SysWOW64\BttnServ.exe C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
File opened for modification C:\Windows\SysWOW64\BttnServ.exe C:\Windows\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
N/A N/A C:\Windows\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\system32\taskhost.exe
PID 2344 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\system32\Dwm.exe
PID 2344 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\Explorer.EXE
PID 2344 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\system32\DllHost.exe
PID 2344 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\svchost.exe
PID 2344 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\svchost.exe
PID 2344 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\svchost.exe
PID 2344 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe C:\Windows\svchost.exe
PID 2552 wrote to memory of 1296 N/A C:\Windows\svchost.exe C:\Windows\system32\taskhost.exe
PID 2552 wrote to memory of 1356 N/A C:\Windows\svchost.exe C:\Windows\system32\Dwm.exe
PID 2552 wrote to memory of 1400 N/A C:\Windows\svchost.exe C:\Windows\Explorer.EXE
PID 2552 wrote to memory of 1296 N/A C:\Windows\svchost.exe C:\Windows\system32\taskhost.exe
PID 2552 wrote to memory of 1356 N/A C:\Windows\svchost.exe C:\Windows\system32\Dwm.exe
PID 2552 wrote to memory of 1400 N/A C:\Windows\svchost.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\svchost.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe

"C:\Users\Admin\AppData\Local\Temp\7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa.exe"

C:\Windows\svchost.exe

C:\Windows\svchost.exe

Network

N/A

Files

memory/2344-0-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2344-6-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/2344-1-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/2344-4-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/2344-7-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/2344-8-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/2344-12-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/2344-11-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/2344-9-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/2344-5-0x00000000026B0000-0x000000000373E000-memory.dmp

C:\Windows\svchost.exe

MD5 5e4e5a7e4ed1aaf78dd88893fffec4d6
SHA1 61e00eb3be307cef8fd4993a250dc9b944e434df
SHA256 7a57e5bbb33973c25b5b6feee1bc6ba71e84f3df9f3062b2a4f2cb179f2f4dfa
SHA512 3c75dd1ccd7738a518333f91f2022da2a225c3b97e623e06c5fa4180d2d5304db61b5c18386617dd5016c3c46bfbaf0f587f47ab7391bbcac65c959a2b51f821

memory/2344-30-0x0000000000580000-0x0000000000581000-memory.dmp

memory/2344-29-0x0000000000570000-0x0000000000572000-memory.dmp

memory/2344-42-0x0000000000570000-0x0000000000572000-memory.dmp

memory/2344-44-0x0000000000570000-0x0000000000572000-memory.dmp

memory/2552-43-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2344-33-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/2344-18-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/2344-60-0x0000000000570000-0x0000000000572000-memory.dmp

memory/2344-65-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2344-53-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/2344-40-0x0000000004E30000-0x0000000004E59000-memory.dmp

memory/2344-39-0x0000000004E30000-0x0000000004E59000-memory.dmp

memory/2344-38-0x0000000000580000-0x0000000000581000-memory.dmp

memory/1296-19-0x0000000000210000-0x0000000000212000-memory.dmp

memory/2552-73-0x00000000039A0000-0x0000000004A2E000-memory.dmp

memory/2552-68-0x00000000039A0000-0x0000000004A2E000-memory.dmp

memory/2552-93-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2552-88-0x00000000039A0000-0x0000000004A2E000-memory.dmp

memory/2552-92-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2552-72-0x00000000039A0000-0x0000000004A2E000-memory.dmp

memory/2552-91-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2552-90-0x00000000039A0000-0x0000000004A2E000-memory.dmp

memory/2552-70-0x00000000039A0000-0x0000000004A2E000-memory.dmp

memory/2552-74-0x00000000039A0000-0x0000000004A2E000-memory.dmp

memory/2552-71-0x00000000039A0000-0x0000000004A2E000-memory.dmp

memory/2552-75-0x00000000039A0000-0x0000000004A2E000-memory.dmp

memory/2552-66-0x00000000039A0000-0x0000000004A2E000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 13e1d6e5c69fac5d0856f6a378474fda
SHA1 5dffc27fb328066406886d6412e6f44af5368ccd
SHA256 24ef7cb96fb2d055d66d44676d6a3b151c3e76ee2c8ef1172c48fc97f090cbca
SHA512 246ee0c2a8ce31a548632b85347c5200e2e3f89ed4d2570c2b8b59e64151c23be0ca877ec4c45ba8779a927a188595c57eca4e925d22d56cd6c5340ed976a905

memory/2552-69-0x00000000039A0000-0x0000000004A2E000-memory.dmp

memory/2552-94-0x00000000039A0000-0x0000000004A2E000-memory.dmp

memory/2552-149-0x00000000039A0000-0x0000000004A2E000-memory.dmp

memory/2552-167-0x00000000003E0000-0x00000000003E2000-memory.dmp

C:\mqopei.pif

MD5 968373e31bf137dbe8809f9229f55cdf
SHA1 1c16ec44c6bbf2a1f67ac39524d5f8b424992ed4
SHA256 79c1739363110839e5de149cfe918092dc58c93bd60a54860e39069a64aa0926
SHA512 3faa2c201772ff8e2258334319b8a4f55007b15482b1c30849dccf70cdcfd4243abbf9ac06e088750a18c4043a3e698c9f4599c5ab332976c366289e2e830f58