Malware Analysis Report

2024-09-11 12:22

Sample ID 240614-z4evaswekh
Target 4d105499922c7b4f19ae69b0c697ac299b699f347f99af6670326951560cd726
SHA256 4d105499922c7b4f19ae69b0c697ac299b699f347f99af6670326951560cd726
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d105499922c7b4f19ae69b0c697ac299b699f347f99af6670326951560cd726

Threat Level: Known bad

The file 4d105499922c7b4f19ae69b0c697ac299b699f347f99af6670326951560cd726 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

Modifies firewall policy service

Windows security bypass

UAC bypass

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Loads dropped DLL

UPX packed file

Executes dropped EXE

Windows security modification

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 21:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 21:16

Reported

2024-06-14 21:18

Platform

win7-20240508-en

Max time kernel

121s

Max time network

121s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761fff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f761e98 C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
File created C:\Windows\f766ef9 C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 1896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1976 wrote to memory of 1896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1976 wrote to memory of 1896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1976 wrote to memory of 1896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1976 wrote to memory of 1896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1976 wrote to memory of 1896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1976 wrote to memory of 1896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1896 wrote to memory of 1740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761e2b.exe
PID 1896 wrote to memory of 1740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761e2b.exe
PID 1896 wrote to memory of 1740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761e2b.exe
PID 1896 wrote to memory of 1740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761e2b.exe
PID 1740 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe C:\Windows\system32\taskhost.exe
PID 1740 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe C:\Windows\system32\Dwm.exe
PID 1740 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe C:\Windows\system32\DllHost.exe
PID 1740 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe C:\Windows\system32\rundll32.exe
PID 1740 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe C:\Windows\SysWOW64\rundll32.exe
PID 1740 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe C:\Windows\SysWOW64\rundll32.exe
PID 1896 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761fff.exe
PID 1896 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761fff.exe
PID 1896 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761fff.exe
PID 1896 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761fff.exe
PID 1896 wrote to memory of 1376 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7639b6.exe
PID 1896 wrote to memory of 1376 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7639b6.exe
PID 1896 wrote to memory of 1376 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7639b6.exe
PID 1896 wrote to memory of 1376 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7639b6.exe
PID 1740 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe C:\Windows\system32\taskhost.exe
PID 1740 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe C:\Windows\system32\Dwm.exe
PID 1740 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe C:\Users\Admin\AppData\Local\Temp\f761fff.exe
PID 1740 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe C:\Users\Admin\AppData\Local\Temp\f761fff.exe
PID 1740 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe C:\Users\Admin\AppData\Local\Temp\f7639b6.exe
PID 1740 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\f761e2b.exe C:\Users\Admin\AppData\Local\Temp\f7639b6.exe
PID 1376 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe C:\Windows\system32\taskhost.exe
PID 1376 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe C:\Windows\system32\Dwm.exe
PID 1376 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f7639b6.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761e2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7639b6.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4d105499922c7b4f19ae69b0c697ac299b699f347f99af6670326951560cd726.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4d105499922c7b4f19ae69b0c697ac299b699f347f99af6670326951560cd726.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761e2b.exe

C:\Users\Admin\AppData\Local\Temp\f761e2b.exe

C:\Users\Admin\AppData\Local\Temp\f761fff.exe

C:\Users\Admin\AppData\Local\Temp\f761fff.exe

C:\Users\Admin\AppData\Local\Temp\f7639b6.exe

C:\Users\Admin\AppData\Local\Temp\f7639b6.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\f761e2b.exe

MD5 d6a464080e0625c9ee8b79256b838765
SHA1 26c05f223ccbdeb541cd428db305c301c19ae587
SHA256 709f868f5a02996c3e468501341400a48e17f5d133a7b35fc6f32c7f6be12450
SHA512 59cc040573cf6fd4771eeeaa194f51fe342042b8f55cb79e8efa54ebe96eab1d7d344a362782bc7ad891fa1b7dacdc6c574f342a7bc1e28b8164a7fadfae7cbd

memory/1740-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1896-10-0x0000000000130000-0x0000000000142000-memory.dmp

memory/1896-9-0x0000000000130000-0x0000000000142000-memory.dmp

memory/1896-8-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1740-12-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-16-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-14-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-19-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-21-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-47-0x00000000005E0000-0x00000000005E2000-memory.dmp

memory/1896-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2456-59-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1896-56-0x0000000000290000-0x00000000002A2000-memory.dmp

memory/1740-55-0x00000000005E0000-0x00000000005E2000-memory.dmp

memory/1896-54-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1740-45-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

memory/1896-39-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1896-37-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1896-36-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1040-28-0x00000000021B0000-0x00000000021B2000-memory.dmp

memory/1740-20-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-18-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-17-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-15-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-22-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-61-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-60-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-62-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-63-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-64-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-66-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-67-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1896-80-0x0000000000130000-0x0000000000132000-memory.dmp

memory/1376-81-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1896-71-0x00000000002B0000-0x00000000002C2000-memory.dmp

memory/1740-83-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-85-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-86-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1376-100-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2456-101-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1376-102-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1376-99-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2456-95-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1740-103-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/2456-94-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1740-104-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-117-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-129-0x00000000005E0000-0x00000000005E2000-memory.dmp

memory/1740-153-0x00000000006F0000-0x00000000017AA000-memory.dmp

memory/1740-152-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 1d8ada5aa4e66ead1658117d0c03b6fb
SHA1 91c6e53fe7a8179a1f9d2f623334f44026bf44f9
SHA256 459679b6b71287fa78beaf62ccd1419bbce33e807e6144fa87897ee764249909
SHA512 f0f04a457d0d9c25ed571a454e305761f33e46fb3cd44beadbba7a41ab609a9685a76c172587dac13d6bb17f8636f6bf360beecda3f28e2323272272bd0128b1

memory/2456-180-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1376-167-0x0000000000940000-0x00000000019FA000-memory.dmp

memory/1376-207-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1376-208-0x0000000000940000-0x00000000019FA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 21:16

Reported

2024-06-14 21:18

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

151s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57e1e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57fccf.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57e138 C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1832 wrote to memory of 4600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1832 wrote to memory of 4600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1832 wrote to memory of 4600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4600 wrote to memory of 2352 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe
PID 4600 wrote to memory of 2352 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe
PID 4600 wrote to memory of 2352 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe
PID 2352 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\system32\fontdrvhost.exe
PID 2352 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\system32\fontdrvhost.exe
PID 2352 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\system32\dwm.exe
PID 2352 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\system32\sihost.exe
PID 2352 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\system32\svchost.exe
PID 2352 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\system32\taskhostw.exe
PID 2352 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\Explorer.EXE
PID 2352 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\system32\svchost.exe
PID 2352 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\system32\DllHost.exe
PID 2352 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2352 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\System32\RuntimeBroker.exe
PID 2352 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2352 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\System32\RuntimeBroker.exe
PID 2352 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2352 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2352 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2352 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2352 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2352 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2352 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\System32\RuntimeBroker.exe
PID 2352 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2352 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\system32\rundll32.exe
PID 2352 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\SysWOW64\rundll32.exe
PID 2352 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\SysWOW64\rundll32.exe
PID 4600 wrote to memory of 2452 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e1e4.exe
PID 4600 wrote to memory of 2452 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e1e4.exe
PID 4600 wrote to memory of 2452 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e1e4.exe
PID 4600 wrote to memory of 4980 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fccf.exe
PID 4600 wrote to memory of 4980 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fccf.exe
PID 4600 wrote to memory of 4980 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fccf.exe
PID 2352 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\system32\fontdrvhost.exe
PID 2352 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\system32\fontdrvhost.exe
PID 2352 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\system32\dwm.exe
PID 2352 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\system32\sihost.exe
PID 2352 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\system32\svchost.exe
PID 2352 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\system32\taskhostw.exe
PID 2352 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\Explorer.EXE
PID 2352 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\system32\svchost.exe
PID 2352 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\system32\DllHost.exe
PID 2352 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2352 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\System32\RuntimeBroker.exe
PID 2352 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2352 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\System32\RuntimeBroker.exe
PID 2352 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2352 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2352 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2352 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2352 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2352 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2352 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\System32\RuntimeBroker.exe
PID 2352 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Users\Admin\AppData\Local\Temp\e57e1e4.exe
PID 2352 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Users\Admin\AppData\Local\Temp\e57e1e4.exe
PID 2352 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\System32\RuntimeBroker.exe
PID 2352 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Windows\System32\RuntimeBroker.exe
PID 2352 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2352 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Users\Admin\AppData\Local\Temp\e57fccf.exe
PID 2352 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe C:\Users\Admin\AppData\Local\Temp\e57fccf.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x264,0x7ffe7ebcceb8,0x7ffe7ebccec4,0x7ffe7ebcced0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2336,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=2332 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1876,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=2424 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2064,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=2684 /prefetch:8

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4d105499922c7b4f19ae69b0c697ac299b699f347f99af6670326951560cd726.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4d105499922c7b4f19ae69b0c697ac299b699f347f99af6670326951560cd726.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe

C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe

C:\Users\Admin\AppData\Local\Temp\e57e1e4.exe

C:\Users\Admin\AppData\Local\Temp\e57e1e4.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3628,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4164 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\e57fccf.exe

C:\Users\Admin\AppData\Local\Temp\e57fccf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4600-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57e0fa.exe

MD5 d6a464080e0625c9ee8b79256b838765
SHA1 26c05f223ccbdeb541cd428db305c301c19ae587
SHA256 709f868f5a02996c3e468501341400a48e17f5d133a7b35fc6f32c7f6be12450
SHA512 59cc040573cf6fd4771eeeaa194f51fe342042b8f55cb79e8efa54ebe96eab1d7d344a362782bc7ad891fa1b7dacdc6c574f342a7bc1e28b8164a7fadfae7cbd

memory/2352-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2352-6-0x0000000000790000-0x000000000184A000-memory.dmp

memory/4600-15-0x0000000000A90000-0x0000000000A92000-memory.dmp

memory/2352-9-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-10-0x0000000000790000-0x000000000184A000-memory.dmp

memory/4600-27-0x0000000000A90000-0x0000000000A92000-memory.dmp

memory/2352-23-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-24-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-33-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-22-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-35-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-34-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2452-26-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2352-25-0x0000000001B70000-0x0000000001B72000-memory.dmp

memory/2352-19-0x0000000001B70000-0x0000000001B72000-memory.dmp

memory/2352-18-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-14-0x0000000003BF0000-0x0000000003BF1000-memory.dmp

memory/4600-12-0x0000000002530000-0x0000000002531000-memory.dmp

memory/4600-11-0x0000000000A90000-0x0000000000A92000-memory.dmp

memory/2352-37-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-36-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-38-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-39-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-40-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-42-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-43-0x0000000000790000-0x000000000184A000-memory.dmp

memory/4980-51-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2352-52-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-54-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-55-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2452-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4980-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4980-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4980-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2452-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2452-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2352-65-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-67-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-70-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-72-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-74-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-76-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-78-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-80-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-81-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-83-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2352-84-0x0000000001B70000-0x0000000001B72000-memory.dmp

memory/2352-103-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2452-107-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4980-111-0x0000000000400000-0x0000000000412000-memory.dmp