Malware Analysis Report

2024-09-11 12:22

Sample ID 240614-bfpslayfkf
Target 8a14d42eabe0da8f826a3f1d29d7b42c7a4a4119030ba4353a71831ef5cb8ac2
SHA256 8a14d42eabe0da8f826a3f1d29d7b42c7a4a4119030ba4353a71831ef5cb8ac2
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a14d42eabe0da8f826a3f1d29d7b42c7a4a4119030ba4353a71831ef5cb8ac2

Threat Level: Known bad

The file 8a14d42eabe0da8f826a3f1d29d7b42c7a4a4119030ba4353a71831ef5cb8ac2 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Windows security bypass

Modifies firewall policy service

UAC bypass

Sality

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Executes dropped EXE

UPX packed file

Loads dropped DLL

Windows security modification

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:05

Reported

2024-06-14 01:07

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760213.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f7600bc C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
File created C:\Windows\f7651c8 C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1960 wrote to memory of 2064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1960 wrote to memory of 2064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1960 wrote to memory of 2064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1960 wrote to memory of 2064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1960 wrote to memory of 2064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1960 wrote to memory of 2064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1960 wrote to memory of 2064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 1184 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76005e.exe
PID 2064 wrote to memory of 1184 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76005e.exe
PID 2064 wrote to memory of 1184 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76005e.exe
PID 2064 wrote to memory of 1184 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76005e.exe
PID 1184 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe C:\Windows\system32\taskhost.exe
PID 1184 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe C:\Windows\system32\Dwm.exe
PID 1184 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe C:\Windows\Explorer.EXE
PID 1184 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe C:\Windows\system32\DllHost.exe
PID 1184 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe C:\Windows\system32\rundll32.exe
PID 1184 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe C:\Windows\SysWOW64\rundll32.exe
PID 1184 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 2484 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760213.exe
PID 2064 wrote to memory of 2484 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760213.exe
PID 2064 wrote to memory of 2484 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760213.exe
PID 2064 wrote to memory of 2484 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760213.exe
PID 2064 wrote to memory of 2940 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761c47.exe
PID 2064 wrote to memory of 2940 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761c47.exe
PID 2064 wrote to memory of 2940 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761c47.exe
PID 2064 wrote to memory of 2940 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761c47.exe
PID 1184 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe C:\Windows\system32\taskhost.exe
PID 1184 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe C:\Windows\system32\Dwm.exe
PID 1184 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe C:\Windows\Explorer.EXE
PID 1184 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe C:\Users\Admin\AppData\Local\Temp\f760213.exe
PID 1184 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe C:\Users\Admin\AppData\Local\Temp\f760213.exe
PID 1184 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe C:\Users\Admin\AppData\Local\Temp\f761c47.exe
PID 1184 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\f76005e.exe C:\Users\Admin\AppData\Local\Temp\f761c47.exe
PID 2940 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe C:\Windows\system32\taskhost.exe
PID 2940 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe C:\Windows\system32\Dwm.exe
PID 2940 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\f761c47.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76005e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761c47.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8a14d42eabe0da8f826a3f1d29d7b42c7a4a4119030ba4353a71831ef5cb8ac2.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8a14d42eabe0da8f826a3f1d29d7b42c7a4a4119030ba4353a71831ef5cb8ac2.dll,#1

C:\Users\Admin\AppData\Local\Temp\f76005e.exe

C:\Users\Admin\AppData\Local\Temp\f76005e.exe

C:\Users\Admin\AppData\Local\Temp\f760213.exe

C:\Users\Admin\AppData\Local\Temp\f760213.exe

C:\Users\Admin\AppData\Local\Temp\f761c47.exe

C:\Users\Admin\AppData\Local\Temp\f761c47.exe

Network

N/A

Files

memory/2064-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f76005e.exe

MD5 157cacee8fee17fedc3df5b1e1030444
SHA1 9fd987daff10b1563c01ddc5cc2ffc0af9653da3
SHA256 273b4156ccafbbe9b330e6dd042d5f0eeb3ebeb51c477c418bced27a7c77e1dd
SHA512 ae9082805468a6850a3b0f43c3cabe364dca9df2ab03d97bbb57bd62ffbf83ea6bba2b6ebc076dd2be659210e901cc1b7efde7e930ead5593e13acd677455549

memory/2064-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1184-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2064-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1184-12-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1184-16-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1184-14-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1184-17-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1184-19-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2064-35-0x0000000000290000-0x0000000000291000-memory.dmp

memory/1184-15-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1184-21-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1184-46-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

memory/1184-22-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2484-58-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2064-57-0x0000000000270000-0x0000000000272000-memory.dmp

memory/2064-56-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1184-55-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

memory/1184-44-0x0000000003D20000-0x0000000003D21000-memory.dmp

memory/2064-43-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2064-53-0x0000000000270000-0x0000000000272000-memory.dmp

memory/2064-34-0x0000000000270000-0x0000000000272000-memory.dmp

memory/1244-28-0x0000000001FA0000-0x0000000001FA2000-memory.dmp

memory/1184-20-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1184-18-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1184-59-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1184-60-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1184-61-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1184-62-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1184-63-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1184-65-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1184-66-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2940-78-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2064-75-0x0000000000270000-0x0000000000272000-memory.dmp

memory/1184-79-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1184-80-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1184-83-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1184-84-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2484-94-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2484-93-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2940-99-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2940-102-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2484-101-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2940-100-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/1184-105-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1184-117-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

memory/1184-149-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1184-150-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2484-154-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2940-156-0x0000000000910000-0x00000000019CA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 26bbb0d351d2a50eaba6170c5553929f
SHA1 75eb8f0675b3749c257b7604889f7567f7a340db
SHA256 38fcaa73ceb5378bb1e3f6e95178c27304522680553432944060fb345acd70c0
SHA512 f08d3340f807f2f5cbf26b9eebb69805796a26918742566c8a3732eee65670e4d1b0d18677c6dd5d879262170b26298ab83ec7f6a1494ec1fdd6614f7931ff94

memory/2940-204-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2940-205-0x0000000000910000-0x00000000019CA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 01:05

Reported

2024-06-14 01:07

Platform

win10v2004-20240611-en

Max time kernel

98s

Max time network

96s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576fe0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e574e9d C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
File created C:\Windows\e579f8c C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A
File created C:\Windows\e57be4f C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 920 wrote to memory of 2568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 920 wrote to memory of 2568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 920 wrote to memory of 2568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 4724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574e2f.exe
PID 2568 wrote to memory of 4724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574e2f.exe
PID 2568 wrote to memory of 4724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574e2f.exe
PID 4724 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\system32\fontdrvhost.exe
PID 4724 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\system32\fontdrvhost.exe
PID 4724 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\system32\dwm.exe
PID 4724 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\system32\sihost.exe
PID 4724 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\system32\svchost.exe
PID 4724 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\system32\taskhostw.exe
PID 4724 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\Explorer.EXE
PID 4724 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\system32\svchost.exe
PID 4724 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\system32\DllHost.exe
PID 4724 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4724 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\System32\RuntimeBroker.exe
PID 4724 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4724 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\System32\RuntimeBroker.exe
PID 4724 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4724 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\System32\RuntimeBroker.exe
PID 4724 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4724 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4724 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\system32\rundll32.exe
PID 4724 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\SysWOW64\rundll32.exe
PID 4724 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575052.exe
PID 2568 wrote to memory of 2972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575052.exe
PID 2568 wrote to memory of 2972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575052.exe
PID 2568 wrote to memory of 5028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576fd1.exe
PID 2568 wrote to memory of 5028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576fd1.exe
PID 2568 wrote to memory of 5028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576fd1.exe
PID 2568 wrote to memory of 1424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576fe0.exe
PID 2568 wrote to memory of 1424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576fe0.exe
PID 2568 wrote to memory of 1424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576fe0.exe
PID 4724 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\system32\fontdrvhost.exe
PID 4724 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\system32\fontdrvhost.exe
PID 4724 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\system32\dwm.exe
PID 4724 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\system32\sihost.exe
PID 4724 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\system32\svchost.exe
PID 4724 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\system32\taskhostw.exe
PID 4724 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\Explorer.EXE
PID 4724 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\system32\svchost.exe
PID 4724 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\system32\DllHost.exe
PID 4724 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4724 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\System32\RuntimeBroker.exe
PID 4724 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4724 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\System32\RuntimeBroker.exe
PID 4724 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4724 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\System32\RuntimeBroker.exe
PID 4724 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4724 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Users\Admin\AppData\Local\Temp\e575052.exe
PID 4724 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Users\Admin\AppData\Local\Temp\e575052.exe
PID 4724 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\System32\RuntimeBroker.exe
PID 4724 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Windows\System32\RuntimeBroker.exe
PID 4724 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Users\Admin\AppData\Local\Temp\e576fd1.exe
PID 4724 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Users\Admin\AppData\Local\Temp\e576fd1.exe
PID 4724 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Users\Admin\AppData\Local\Temp\e576fe0.exe
PID 4724 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\e574e2f.exe C:\Users\Admin\AppData\Local\Temp\e576fe0.exe
PID 2972 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\e575052.exe C:\Windows\system32\fontdrvhost.exe
PID 2972 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e575052.exe C:\Windows\system32\fontdrvhost.exe
PID 2972 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\e575052.exe C:\Windows\system32\dwm.exe
PID 2972 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\e575052.exe C:\Windows\system32\sihost.exe
PID 2972 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\e575052.exe C:\Windows\system32\svchost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574e2f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575052.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576fd1.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8a14d42eabe0da8f826a3f1d29d7b42c7a4a4119030ba4353a71831ef5cb8ac2.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8a14d42eabe0da8f826a3f1d29d7b42c7a4a4119030ba4353a71831ef5cb8ac2.dll,#1

C:\Users\Admin\AppData\Local\Temp\e574e2f.exe

C:\Users\Admin\AppData\Local\Temp\e574e2f.exe

C:\Users\Admin\AppData\Local\Temp\e575052.exe

C:\Users\Admin\AppData\Local\Temp\e575052.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e576fd1.exe

C:\Users\Admin\AppData\Local\Temp\e576fd1.exe

C:\Users\Admin\AppData\Local\Temp\e576fe0.exe

C:\Users\Admin\AppData\Local\Temp\e576fe0.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/2568-2-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e574e2f.exe

MD5 157cacee8fee17fedc3df5b1e1030444
SHA1 9fd987daff10b1563c01ddc5cc2ffc0af9653da3
SHA256 273b4156ccafbbe9b330e6dd042d5f0eeb3ebeb51c477c418bced27a7c77e1dd
SHA512 ae9082805468a6850a3b0f43c3cabe364dca9df2ab03d97bbb57bd62ffbf83ea6bba2b6ebc076dd2be659210e901cc1b7efde7e930ead5593e13acd677455549

memory/4724-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4724-6-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-9-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-10-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-8-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-11-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-12-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-15-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-14-0x0000000000870000-0x000000000192A000-memory.dmp

memory/2972-36-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4724-35-0x0000000001B30000-0x0000000001B32000-memory.dmp

memory/4724-21-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-32-0x0000000001B30000-0x0000000001B32000-memory.dmp

memory/2568-31-0x0000000002570000-0x0000000002571000-memory.dmp

memory/2568-30-0x00000000024E0000-0x00000000024E2000-memory.dmp

memory/2568-26-0x00000000024E0000-0x00000000024E2000-memory.dmp

memory/4724-25-0x0000000001B40000-0x0000000001B41000-memory.dmp

memory/2568-22-0x00000000024E0000-0x00000000024E2000-memory.dmp

memory/4724-13-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-29-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-37-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-38-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-39-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-40-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-41-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-43-0x0000000000870000-0x000000000192A000-memory.dmp

memory/1424-53-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5028-51-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4724-57-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-58-0x0000000000870000-0x000000000192A000-memory.dmp

memory/2972-62-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2972-61-0x0000000000530000-0x0000000000531000-memory.dmp

memory/1424-66-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/5028-64-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/5028-67-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1424-68-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/5028-70-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2972-69-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1424-71-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4724-72-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-73-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-76-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-78-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-80-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-81-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-83-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-84-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-85-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-94-0x0000000000870000-0x000000000192A000-memory.dmp

memory/4724-100-0x0000000001B30000-0x0000000001B32000-memory.dmp

memory/4724-113-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4724-97-0x0000000000870000-0x000000000192A000-memory.dmp

memory/2972-123-0x0000000000B20000-0x0000000001BDA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 eab97b227949ff51ad9afdeadecf44e6
SHA1 e12823f004a82f2dd078a6aa7c8baaba4a5125d9
SHA256 c57bb68aefe7253f22baaf38e715fb5c08c7db0c442203790f294cf9f6a47559
SHA512 6f243e2703e0f6174a849c85e9655756965b60048d2a25a8d232d4377e023ac0407b90180e8034a3754453fca7ac0f82613569899ee75b8c97104b5b65797942

memory/2972-144-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2972-143-0x0000000000B20000-0x0000000001BDA000-memory.dmp

memory/5028-149-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1424-153-0x0000000000400000-0x0000000000412000-memory.dmp