Malware Analysis Report

2024-09-11 11:55

Sample ID 240616-31bj9ayejl
Target 94b52422350e63059248132cce80202ff84a5315a31776afffc0b32186a00187
SHA256 94b52422350e63059248132cce80202ff84a5315a31776afffc0b32186a00187
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94b52422350e63059248132cce80202ff84a5315a31776afffc0b32186a00187

Threat Level: Known bad

The file 94b52422350e63059248132cce80202ff84a5315a31776afffc0b32186a00187 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Windows security bypass

Modifies firewall policy service

Sality

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Executes dropped EXE

Windows security modification

Loads dropped DLL

UPX packed file

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 23:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 23:58

Reported

2024-06-17 00:00

Platform

win7-20240611-en

Max time kernel

121s

Max time network

122s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761ab2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f7669ab C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
File created C:\Windows\f76196a C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 3052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2116 wrote to memory of 3052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2116 wrote to memory of 3052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2116 wrote to memory of 3052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2116 wrote to memory of 3052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2116 wrote to memory of 3052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2116 wrote to memory of 3052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3052 wrote to memory of 2156 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76190c.exe
PID 3052 wrote to memory of 2156 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76190c.exe
PID 3052 wrote to memory of 2156 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76190c.exe
PID 3052 wrote to memory of 2156 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76190c.exe
PID 2156 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe C:\Windows\system32\taskhost.exe
PID 2156 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe C:\Windows\system32\Dwm.exe
PID 2156 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe C:\Windows\system32\DllHost.exe
PID 2156 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe C:\Windows\system32\rundll32.exe
PID 2156 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe C:\Windows\SysWOW64\rundll32.exe
PID 3052 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761ab2.exe
PID 3052 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761ab2.exe
PID 3052 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761ab2.exe
PID 3052 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761ab2.exe
PID 3052 wrote to memory of 2976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763488.exe
PID 3052 wrote to memory of 2976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763488.exe
PID 3052 wrote to memory of 2976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763488.exe
PID 3052 wrote to memory of 2976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763488.exe
PID 2156 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe C:\Windows\system32\taskhost.exe
PID 2156 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe C:\Windows\system32\Dwm.exe
PID 2156 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe C:\Users\Admin\AppData\Local\Temp\f761ab2.exe
PID 2156 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe C:\Users\Admin\AppData\Local\Temp\f761ab2.exe
PID 2156 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe C:\Users\Admin\AppData\Local\Temp\f763488.exe
PID 2156 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\f76190c.exe C:\Users\Admin\AppData\Local\Temp\f763488.exe
PID 2976 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe C:\Windows\system32\taskhost.exe
PID 2976 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe C:\Windows\system32\Dwm.exe
PID 2976 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\f763488.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76190c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763488.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\94b52422350e63059248132cce80202ff84a5315a31776afffc0b32186a00187.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\94b52422350e63059248132cce80202ff84a5315a31776afffc0b32186a00187.dll,#1

C:\Users\Admin\AppData\Local\Temp\f76190c.exe

C:\Users\Admin\AppData\Local\Temp\f76190c.exe

C:\Users\Admin\AppData\Local\Temp\f761ab2.exe

C:\Users\Admin\AppData\Local\Temp\f761ab2.exe

C:\Users\Admin\AppData\Local\Temp\f763488.exe

C:\Users\Admin\AppData\Local\Temp\f763488.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\f76190c.exe

MD5 2b3090ed9e3413e1109b6f035f034004
SHA1 e9d311f67fdffc471880bfebb9c5dde2aa1a417c
SHA256 6e344a70d2d9c61dc769279a0a416ec3af4462f58eea2f6eeb3d377c2a688a31
SHA512 88a0096b789e34df32fb5b3b1f576ddeb3e4c16294658827e04729207d07ee186f0f5c1586fadcedf878badb1369b47f2fa621d63ebf7860366857ef200ebfa9

memory/3052-7-0x0000000010000000-0x0000000010020000-memory.dmp

memory/3052-8-0x00000000001C0000-0x00000000001D2000-memory.dmp

memory/2156-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3052-9-0x00000000001C0000-0x00000000001D2000-memory.dmp

memory/2156-14-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2156-23-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2156-17-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2156-16-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2156-15-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2156-19-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2156-20-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2156-21-0x0000000000560000-0x000000000161A000-memory.dmp

memory/3052-46-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2156-49-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2156-47-0x0000000001660000-0x0000000001661000-memory.dmp

memory/2784-61-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3052-60-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3052-59-0x0000000000200000-0x0000000000212000-memory.dmp

memory/2156-58-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/3052-56-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3052-38-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3052-37-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1224-29-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2156-18-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2156-22-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2156-62-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2156-63-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2156-64-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2156-65-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2156-66-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2156-68-0x0000000000560000-0x000000000161A000-memory.dmp

memory/3052-77-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2976-80-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2156-81-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2156-83-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2156-84-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2784-96-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2784-95-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2976-101-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2976-103-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2156-104-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2976-107-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2784-106-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2156-124-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2156-150-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2156-149-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2784-154-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 2db834b5f0a49479daa494ef2c7e7eb2
SHA1 7e91d9e6792e23989387051ead594b5f07b7db5e
SHA256 38a5bdc202b2dce4991bb2309fe6cfa4c79db9af72e484d11449a7689e5ad901
SHA512 834f073e4b2650084dc5bb9ce1da7fa4fc5e9e68a31108b0b8113d930bfac3b707c12af52ea3f5fa00bf9f4afb25f6e1be900bfab89661fd40b5acb17cb3cbf9

memory/2976-166-0x0000000000920000-0x00000000019DA000-memory.dmp

memory/2976-204-0x0000000000920000-0x00000000019DA000-memory.dmp

memory/2976-205-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 23:58

Reported

2024-06-17 00:00

Platform

win10v2004-20240611-en

Max time kernel

94s

Max time network

95s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573c6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575c2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
File created C:\Windows\e578df8 C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A
File created C:\Windows\e573b63 C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 5000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1044 wrote to memory of 5000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1044 wrote to memory of 5000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5000 wrote to memory of 4740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573b15.exe
PID 5000 wrote to memory of 4740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573b15.exe
PID 5000 wrote to memory of 4740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573b15.exe
PID 4740 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\system32\fontdrvhost.exe
PID 4740 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\system32\fontdrvhost.exe
PID 4740 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\system32\dwm.exe
PID 4740 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\system32\sihost.exe
PID 4740 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\system32\svchost.exe
PID 4740 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\system32\taskhostw.exe
PID 4740 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\Explorer.EXE
PID 4740 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\system32\svchost.exe
PID 4740 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\system32\DllHost.exe
PID 4740 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4740 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\System32\RuntimeBroker.exe
PID 4740 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4740 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\System32\RuntimeBroker.exe
PID 4740 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4740 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\System32\RuntimeBroker.exe
PID 4740 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4740 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4740 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\system32\rundll32.exe
PID 4740 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\SysWOW64\rundll32.exe
PID 4740 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\SysWOW64\rundll32.exe
PID 5000 wrote to memory of 4964 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573c6d.exe
PID 5000 wrote to memory of 4964 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573c6d.exe
PID 5000 wrote to memory of 4964 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573c6d.exe
PID 5000 wrote to memory of 3992 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575c2a.exe
PID 5000 wrote to memory of 3992 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575c2a.exe
PID 5000 wrote to memory of 3992 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575c2a.exe
PID 5000 wrote to memory of 5064 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575c49.exe
PID 5000 wrote to memory of 5064 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575c49.exe
PID 5000 wrote to memory of 5064 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575c49.exe
PID 4740 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\system32\fontdrvhost.exe
PID 4740 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\system32\fontdrvhost.exe
PID 4740 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\system32\dwm.exe
PID 4740 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\system32\sihost.exe
PID 4740 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\system32\svchost.exe
PID 4740 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\system32\taskhostw.exe
PID 4740 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\Explorer.EXE
PID 4740 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\system32\svchost.exe
PID 4740 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\system32\DllHost.exe
PID 4740 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4740 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\System32\RuntimeBroker.exe
PID 4740 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4740 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\System32\RuntimeBroker.exe
PID 4740 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4740 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\System32\RuntimeBroker.exe
PID 4740 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4740 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Users\Admin\AppData\Local\Temp\e573c6d.exe
PID 4740 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Users\Admin\AppData\Local\Temp\e573c6d.exe
PID 4740 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\System32\RuntimeBroker.exe
PID 4740 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Windows\System32\RuntimeBroker.exe
PID 4740 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Users\Admin\AppData\Local\Temp\e575c2a.exe
PID 4740 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Users\Admin\AppData\Local\Temp\e575c2a.exe
PID 4740 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Users\Admin\AppData\Local\Temp\e575c49.exe
PID 4740 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\e573b15.exe C:\Users\Admin\AppData\Local\Temp\e575c49.exe
PID 5064 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e575c49.exe C:\Windows\system32\fontdrvhost.exe
PID 5064 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e575c49.exe C:\Windows\system32\fontdrvhost.exe
PID 5064 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e575c49.exe C:\Windows\system32\dwm.exe
PID 5064 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\e575c49.exe C:\Windows\system32\sihost.exe
PID 5064 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\e575c49.exe C:\Windows\system32\svchost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573b15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575c49.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\94b52422350e63059248132cce80202ff84a5315a31776afffc0b32186a00187.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\94b52422350e63059248132cce80202ff84a5315a31776afffc0b32186a00187.dll,#1

C:\Users\Admin\AppData\Local\Temp\e573b15.exe

C:\Users\Admin\AppData\Local\Temp\e573b15.exe

C:\Users\Admin\AppData\Local\Temp\e573c6d.exe

C:\Users\Admin\AppData\Local\Temp\e573c6d.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e575c2a.exe

C:\Users\Admin\AppData\Local\Temp\e575c2a.exe

C:\Users\Admin\AppData\Local\Temp\e575c49.exe

C:\Users\Admin\AppData\Local\Temp\e575c49.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

memory/5000-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e573b15.exe

MD5 2b3090ed9e3413e1109b6f035f034004
SHA1 e9d311f67fdffc471880bfebb9c5dde2aa1a417c
SHA256 6e344a70d2d9c61dc769279a0a416ec3af4462f58eea2f6eeb3d377c2a688a31
SHA512 88a0096b789e34df32fb5b3b1f576ddeb3e4c16294658827e04729207d07ee186f0f5c1586fadcedf878badb1369b47f2fa621d63ebf7860366857ef200ebfa9

memory/4740-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4740-9-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-8-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-12-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-13-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-10-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/5000-20-0x0000000003F80000-0x0000000003F82000-memory.dmp

memory/4740-19-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

memory/5000-16-0x0000000003F80000-0x0000000003F82000-memory.dmp

memory/4740-27-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4964-35-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4740-34-0x0000000001A30000-0x0000000001A32000-memory.dmp

memory/4740-14-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-31-0x0000000001A30000-0x0000000001A32000-memory.dmp

memory/5000-30-0x0000000004010000-0x0000000004011000-memory.dmp

memory/5000-29-0x0000000003F80000-0x0000000003F82000-memory.dmp

memory/4740-11-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-28-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-36-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-38-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-37-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-39-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-40-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-41-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-43-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3992-49-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5064-56-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4740-57-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-59-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3992-63-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/5064-68-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3992-67-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4964-66-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/5064-65-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4964-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4964-69-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3992-70-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/5064-71-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4740-72-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-73-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-76-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-77-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-80-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-81-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-84-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-85-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-88-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-89-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-90-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4740-99-0x0000000001A30000-0x0000000001A32000-memory.dmp

memory/4740-110-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4740-93-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4964-114-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 3f226c6d35d20854f97de0dd45624ea3
SHA1 de7e2f2eab58c9d00be4d80059227456a89a5260
SHA256 c83539c9024666ce0db068175e3ea6a78491f93abf2f41a5d82918754e636430
SHA512 b0ab50186f0cc83ca10b909bac058638d10d3da29c5923a1bb0af5f36731711f3b6fce8172f41eca1c91794d9e2cf9e92f309daa3f28dfedc4b292def9d95150

memory/5064-126-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/3992-143-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5064-163-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5064-162-0x0000000000B30000-0x0000000001BEA000-memory.dmp