Malware Analysis Report

2024-09-11 12:01

Sample ID 240616-3zhxyaydqj
Target 93d4f6c518c701ab1571a7ed202561f03aec10465e00a32d8cd9c187239dc17f
SHA256 93d4f6c518c701ab1571a7ed202561f03aec10465e00a32d8cd9c187239dc17f
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93d4f6c518c701ab1571a7ed202561f03aec10465e00a32d8cd9c187239dc17f

Threat Level: Known bad

The file 93d4f6c518c701ab1571a7ed202561f03aec10465e00a32d8cd9c187239dc17f was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

Sality

UAC bypass

Windows security bypass

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Windows security modification

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 23:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 23:56

Reported

2024-06-16 23:59

Platform

win7-20240611-en

Max time kernel

118s

Max time network

119s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7623c6.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f760703 C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
File created C:\Windows\f765754 C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1716 wrote to memory of 2748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760696.exe
PID 1716 wrote to memory of 2748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760696.exe
PID 1716 wrote to memory of 2748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760696.exe
PID 1716 wrote to memory of 2748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760696.exe
PID 2748 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe C:\Windows\system32\taskhost.exe
PID 2748 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe C:\Windows\system32\Dwm.exe
PID 2748 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe C:\Windows\system32\DllHost.exe
PID 2748 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe C:\Windows\system32\rundll32.exe
PID 2748 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe C:\Windows\SysWOW64\rundll32.exe
PID 2748 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe C:\Windows\SysWOW64\rundll32.exe
PID 1716 wrote to memory of 2740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76084a.exe
PID 1716 wrote to memory of 2740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76084a.exe
PID 1716 wrote to memory of 2740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76084a.exe
PID 1716 wrote to memory of 2740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76084a.exe
PID 1716 wrote to memory of 1572 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7623c6.exe
PID 1716 wrote to memory of 1572 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7623c6.exe
PID 1716 wrote to memory of 1572 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7623c6.exe
PID 1716 wrote to memory of 1572 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7623c6.exe
PID 2748 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe C:\Windows\system32\taskhost.exe
PID 2748 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe C:\Windows\system32\Dwm.exe
PID 2748 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe C:\Users\Admin\AppData\Local\Temp\f76084a.exe
PID 2748 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe C:\Users\Admin\AppData\Local\Temp\f76084a.exe
PID 2748 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe C:\Users\Admin\AppData\Local\Temp\f7623c6.exe
PID 2748 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\f760696.exe C:\Users\Admin\AppData\Local\Temp\f7623c6.exe
PID 2740 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe C:\Windows\system32\taskhost.exe
PID 2740 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe C:\Windows\system32\Dwm.exe
PID 2740 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f76084a.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76084a.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\93d4f6c518c701ab1571a7ed202561f03aec10465e00a32d8cd9c187239dc17f.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\93d4f6c518c701ab1571a7ed202561f03aec10465e00a32d8cd9c187239dc17f.dll,#1

C:\Users\Admin\AppData\Local\Temp\f760696.exe

C:\Users\Admin\AppData\Local\Temp\f760696.exe

C:\Users\Admin\AppData\Local\Temp\f76084a.exe

C:\Users\Admin\AppData\Local\Temp\f76084a.exe

C:\Users\Admin\AppData\Local\Temp\f7623c6.exe

C:\Users\Admin\AppData\Local\Temp\f7623c6.exe

Network

N/A

Files

memory/1716-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f760696.exe

MD5 3c221211a02db3e5906b043d4e8584bb
SHA1 b699072d044e0fad1dfc534f4a3d422552c89ede
SHA256 b1f8348d6fa6d6b5299d83468df99ff7e311a86eb103d61cb8f768c387abf92f
SHA512 50c1fa7754aa8dafbe99b3093a15cd068fe191204ce96d7ac0fc776e60fa391f8b8865954c98d1b23b8488bb78c0fb52f6dbd946be5cc91f3c742180784434b4

memory/1716-9-0x0000000000170000-0x0000000000182000-memory.dmp

memory/2748-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2748-21-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-20-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-15-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-19-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-14-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-13-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-17-0x0000000000590000-0x000000000164A000-memory.dmp

memory/1716-36-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2748-45-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2748-46-0x00000000002C0000-0x00000000002C2000-memory.dmp

memory/2748-44-0x00000000002C0000-0x00000000002C2000-memory.dmp

memory/1716-35-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1716-34-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/1248-28-0x0000000001F10000-0x0000000001F12000-memory.dmp

memory/2748-18-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-22-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-16-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2740-57-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1716-56-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/1716-55-0x0000000000290000-0x00000000002A2000-memory.dmp

memory/1716-53-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2748-58-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-59-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-60-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-61-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-62-0x0000000000590000-0x000000000164A000-memory.dmp

memory/1716-72-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/1572-76-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1716-74-0x0000000000170000-0x0000000000172000-memory.dmp

memory/2748-77-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-78-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-80-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2740-88-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2740-87-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1572-94-0x0000000000360000-0x0000000000362000-memory.dmp

memory/1572-93-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/1572-96-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2740-95-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2748-98-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-99-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-101-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-102-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-104-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-107-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-108-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2748-115-0x00000000002C0000-0x00000000002C2000-memory.dmp

memory/2748-141-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2748-140-0x0000000000590000-0x000000000164A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 d6af33e48e394222ec665351cc85b653
SHA1 049e1de31a1c7ecdaaea5aca92131f8b691f8eb6
SHA256 c128192b2416d9cae097341e344429fe9471ef5d80a31dbdce01448b9a3398fa
SHA512 c48635e98825b1566ea418244757f7f073746f76c9be0370730c202f234140ed8ae64ec38e5a67bc618c7073e7e90fd80285f4523071059941d48410f803882b

memory/2740-153-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2740-174-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2740-175-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/1572-179-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 23:56

Reported

2024-06-16 23:59

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574631.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e579887 C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A
File created C:\Windows\e574508 C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1300 wrote to memory of 3596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1300 wrote to memory of 3596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1300 wrote to memory of 3596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3596 wrote to memory of 2956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5744ba.exe
PID 3596 wrote to memory of 2956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5744ba.exe
PID 3596 wrote to memory of 2956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5744ba.exe
PID 2956 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\system32\fontdrvhost.exe
PID 2956 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\system32\fontdrvhost.exe
PID 2956 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\system32\dwm.exe
PID 2956 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\system32\sihost.exe
PID 2956 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\system32\svchost.exe
PID 2956 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\system32\taskhostw.exe
PID 2956 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\Explorer.EXE
PID 2956 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\system32\svchost.exe
PID 2956 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\system32\DllHost.exe
PID 2956 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2956 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\System32\RuntimeBroker.exe
PID 2956 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2956 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\System32\RuntimeBroker.exe
PID 2956 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\System32\RuntimeBroker.exe
PID 2956 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2956 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2956 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\system32\rundll32.exe
PID 2956 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\SysWOW64\rundll32.exe
PID 2956 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\SysWOW64\rundll32.exe
PID 3596 wrote to memory of 4852 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574631.exe
PID 3596 wrote to memory of 4852 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574631.exe
PID 3596 wrote to memory of 4852 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574631.exe
PID 3596 wrote to memory of 2620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57607f.exe
PID 3596 wrote to memory of 2620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57607f.exe
PID 3596 wrote to memory of 2620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57607f.exe
PID 2956 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\system32\fontdrvhost.exe
PID 2956 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\system32\fontdrvhost.exe
PID 2956 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\system32\dwm.exe
PID 2956 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\system32\sihost.exe
PID 2956 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\system32\svchost.exe
PID 2956 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\system32\taskhostw.exe
PID 2956 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\Explorer.EXE
PID 2956 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\system32\svchost.exe
PID 2956 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\system32\DllHost.exe
PID 2956 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2956 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\System32\RuntimeBroker.exe
PID 2956 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2956 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\System32\RuntimeBroker.exe
PID 2956 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\System32\RuntimeBroker.exe
PID 2956 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2956 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Users\Admin\AppData\Local\Temp\e574631.exe
PID 2956 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Users\Admin\AppData\Local\Temp\e574631.exe
PID 2956 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\System32\RuntimeBroker.exe
PID 2956 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Windows\System32\RuntimeBroker.exe
PID 2956 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Users\Admin\AppData\Local\Temp\e57607f.exe
PID 2956 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\e5744ba.exe C:\Users\Admin\AppData\Local\Temp\e57607f.exe
PID 2620 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e57607f.exe C:\Windows\system32\fontdrvhost.exe
PID 2620 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e57607f.exe C:\Windows\system32\fontdrvhost.exe
PID 2620 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e57607f.exe C:\Windows\system32\dwm.exe
PID 2620 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e57607f.exe C:\Windows\system32\sihost.exe
PID 2620 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\e57607f.exe C:\Windows\system32\svchost.exe
PID 2620 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\e57607f.exe C:\Windows\system32\taskhostw.exe
PID 2620 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\e57607f.exe C:\Windows\Explorer.EXE
PID 2620 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\e57607f.exe C:\Windows\system32\svchost.exe
PID 2620 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\e57607f.exe C:\Windows\system32\DllHost.exe
PID 2620 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\e57607f.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2620 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\e57607f.exe C:\Windows\System32\RuntimeBroker.exe
PID 2620 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\e57607f.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5744ba.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57607f.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\93d4f6c518c701ab1571a7ed202561f03aec10465e00a32d8cd9c187239dc17f.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\93d4f6c518c701ab1571a7ed202561f03aec10465e00a32d8cd9c187239dc17f.dll,#1

C:\Users\Admin\AppData\Local\Temp\e5744ba.exe

C:\Users\Admin\AppData\Local\Temp\e5744ba.exe

C:\Users\Admin\AppData\Local\Temp\e574631.exe

C:\Users\Admin\AppData\Local\Temp\e574631.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e57607f.exe

C:\Users\Admin\AppData\Local\Temp\e57607f.exe

Network

Country Destination Domain Proto
US 52.111.229.48:443 tcp

Files

memory/3596-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2956-5-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5744ba.exe

MD5 3c221211a02db3e5906b043d4e8584bb
SHA1 b699072d044e0fad1dfc534f4a3d422552c89ede
SHA256 b1f8348d6fa6d6b5299d83468df99ff7e311a86eb103d61cb8f768c387abf92f
SHA512 50c1fa7754aa8dafbe99b3093a15cd068fe191204ce96d7ac0fc776e60fa391f8b8865954c98d1b23b8488bb78c0fb52f6dbd946be5cc91f3c742180784434b4

memory/2956-6-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-8-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-11-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-10-0x0000000000880000-0x000000000193A000-memory.dmp

memory/4852-31-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2956-30-0x0000000003520000-0x0000000003522000-memory.dmp

memory/2956-25-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-12-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-32-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-27-0x0000000003520000-0x0000000003522000-memory.dmp

memory/2956-34-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3596-33-0x0000000001370000-0x0000000001372000-memory.dmp

memory/2956-26-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3596-22-0x0000000001370000-0x0000000001372000-memory.dmp

memory/2956-21-0x0000000003E70000-0x0000000003E71000-memory.dmp

memory/3596-19-0x00000000013D0000-0x00000000013D1000-memory.dmp

memory/3596-18-0x0000000001370000-0x0000000001372000-memory.dmp

memory/2956-9-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-35-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-36-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-37-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-38-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-39-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-40-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-42-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-43-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2620-48-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2956-53-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-54-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-55-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2620-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4852-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2620-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2620-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4852-60-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4852-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2956-65-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-67-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-70-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-72-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-74-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-76-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-78-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-81-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-87-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-88-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2956-98-0x0000000003520000-0x0000000003522000-memory.dmp

memory/2956-107-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4852-111-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 ee8dfe16fd7c6c3c6d8ae324bda85c44
SHA1 29b4e1e55fda662a749d1258e2ebe867315b3b96
SHA256 3107096ccae40fe3bc355a8e2023211a87e612f565e30c002c3dd05700d318a1
SHA512 26eea6c569e16ba5737b75c2772a0b28abf84a715b1230f487bc3d2bb0637356180ff7b186e15136698970f0283da5bd4122ae728e093eb960ecf6402018a103

memory/2620-123-0x0000000000B60000-0x0000000001C1A000-memory.dmp

memory/2620-153-0x0000000000B60000-0x0000000001C1A000-memory.dmp

memory/2620-154-0x0000000000400000-0x0000000000412000-memory.dmp