Malware Analysis Report

2024-09-11 12:20

Sample ID 240617-ce5yvsyhma
Target c3f90c2ecf7af272f352028a42a1398825fa0dc5a0cf57469d9ee16a7ed18b38
SHA256 c3f90c2ecf7af272f352028a42a1398825fa0dc5a0cf57469d9ee16a7ed18b38
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3f90c2ecf7af272f352028a42a1398825fa0dc5a0cf57469d9ee16a7ed18b38

Threat Level: Known bad

The file c3f90c2ecf7af272f352028a42a1398825fa0dc5a0cf57469d9ee16a7ed18b38 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

Windows security bypass

Sality

UAC bypass

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Loads dropped DLL

UPX packed file

Executes dropped EXE

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 02:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 02:00

Reported

2024-06-17 02:03

Platform

win7-20240611-en

Max time kernel

119s

Max time network

124s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f767b29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
File created C:\Windows\f76caed C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
File created C:\Windows\f76758d C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2732 wrote to memory of 2992 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7674e2.exe
PID 2732 wrote to memory of 2992 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7674e2.exe
PID 2732 wrote to memory of 2992 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7674e2.exe
PID 2732 wrote to memory of 2992 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7674e2.exe
PID 2992 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe C:\Windows\system32\taskhost.exe
PID 2992 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe C:\Windows\system32\Dwm.exe
PID 2992 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe C:\Windows\system32\DllHost.exe
PID 2992 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe C:\Windows\system32\rundll32.exe
PID 2992 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe C:\Windows\SysWOW64\rundll32.exe
PID 2992 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe C:\Windows\SysWOW64\rundll32.exe
PID 2732 wrote to memory of 2712 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767b29.exe
PID 2732 wrote to memory of 2712 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767b29.exe
PID 2732 wrote to memory of 2712 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767b29.exe
PID 2732 wrote to memory of 2712 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767b29.exe
PID 2732 wrote to memory of 2924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f768f16.exe
PID 2732 wrote to memory of 2924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f768f16.exe
PID 2732 wrote to memory of 2924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f768f16.exe
PID 2732 wrote to memory of 2924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f768f16.exe
PID 2992 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe C:\Windows\system32\taskhost.exe
PID 2992 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe C:\Windows\system32\Dwm.exe
PID 2992 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe C:\Users\Admin\AppData\Local\Temp\f767b29.exe
PID 2992 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe C:\Users\Admin\AppData\Local\Temp\f767b29.exe
PID 2992 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe C:\Users\Admin\AppData\Local\Temp\f768f16.exe
PID 2992 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\f7674e2.exe C:\Users\Admin\AppData\Local\Temp\f768f16.exe
PID 2924 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe C:\Windows\system32\taskhost.exe
PID 2924 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe C:\Windows\system32\Dwm.exe
PID 2924 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\f768f16.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7674e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f768f16.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c3f90c2ecf7af272f352028a42a1398825fa0dc5a0cf57469d9ee16a7ed18b38.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c3f90c2ecf7af272f352028a42a1398825fa0dc5a0cf57469d9ee16a7ed18b38.dll,#1

C:\Users\Admin\AppData\Local\Temp\f7674e2.exe

C:\Users\Admin\AppData\Local\Temp\f7674e2.exe

C:\Users\Admin\AppData\Local\Temp\f767b29.exe

C:\Users\Admin\AppData\Local\Temp\f767b29.exe

C:\Users\Admin\AppData\Local\Temp\f768f16.exe

C:\Users\Admin\AppData\Local\Temp\f768f16.exe

Network

N/A

Files

memory/2732-0-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2732-2-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f7674e2.exe

MD5 e4cd16c8d45c55df2771ce91fc51d3c9
SHA1 69a69fa0d0745b6fcef81d1e304ea468849f7cda
SHA256 d67910e7b194c46ed3c3cc46f5af7e7a4e2072297a196e2e4990850ad80f6467
SHA512 f5da562a00e4358c2dba24cbe4551824bda59798a32831cc28cb3bb9b40b3dff6399eaf474aebed83994b55f389bbd49a5815be827b9ae6a75fc596dbb7a28b8

memory/2992-12-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2732-11-0x00000000000B0000-0x00000000000C2000-memory.dmp

memory/2732-5-0x00000000000B0000-0x00000000000C2000-memory.dmp

memory/2992-13-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2992-22-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2992-18-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2992-20-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2992-16-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2992-21-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2992-23-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2992-19-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2992-17-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2992-15-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1112-29-0x0000000001E20000-0x0000000001E22000-memory.dmp

memory/2992-46-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2992-45-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2732-39-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2732-49-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2992-48-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2732-56-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2712-59-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2732-58-0x0000000000240000-0x0000000000252000-memory.dmp

memory/2732-38-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2732-37-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2992-61-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2992-60-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2992-62-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2992-64-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2992-63-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2992-66-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2924-79-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2732-77-0x00000000000B0000-0x00000000000B6000-memory.dmp

memory/2732-74-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2992-80-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2992-81-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2992-83-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2992-85-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2992-88-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2712-104-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2924-103-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2712-97-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2924-107-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2712-106-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2992-116-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2992-148-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2992-147-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2712-152-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 1ac5062a9107bf00d0b91dd7419c3254
SHA1 95c6acef7a33953c21df6f00838dd41cbc385ea5
SHA256 d80935bfa80d6d310c6b1b9dbb2f2bbd8520887f428e377774af25901551df0e
SHA512 d258887d4d9c4a78fa6e339f3e5e6747fb8d676f05bc90d1ccad430626e59f3e9bfe65e6c908ebaa83d23f90ebea7ab56ce50c589697c78e59cc8cf4b444ca2e

memory/2924-165-0x0000000000A10000-0x0000000001ACA000-memory.dmp

memory/2924-198-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2924-199-0x0000000000A10000-0x0000000001ACA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 02:00

Reported

2024-06-17 02:03

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

155s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5745a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e574381 C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
File created C:\Windows\e57954b C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4552 wrote to memory of 3772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4552 wrote to memory of 3772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4552 wrote to memory of 3772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3772 wrote to memory of 4400 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574333.exe
PID 3772 wrote to memory of 4400 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574333.exe
PID 3772 wrote to memory of 4400 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574333.exe
PID 4400 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\system32\fontdrvhost.exe
PID 4400 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\system32\fontdrvhost.exe
PID 4400 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\system32\dwm.exe
PID 4400 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\system32\sihost.exe
PID 4400 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\system32\svchost.exe
PID 4400 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\system32\taskhostw.exe
PID 4400 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\Explorer.EXE
PID 4400 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\system32\svchost.exe
PID 4400 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\system32\DllHost.exe
PID 4400 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4400 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\System32\RuntimeBroker.exe
PID 4400 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4400 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\System32\RuntimeBroker.exe
PID 4400 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4400 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\System32\RuntimeBroker.exe
PID 4400 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4400 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\system32\rundll32.exe
PID 4400 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\SysWOW64\rundll32.exe
PID 4400 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\SysWOW64\rundll32.exe
PID 3772 wrote to memory of 4632 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5745a4.exe
PID 3772 wrote to memory of 4632 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5745a4.exe
PID 3772 wrote to memory of 4632 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5745a4.exe
PID 3772 wrote to memory of 3976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575f08.exe
PID 3772 wrote to memory of 3976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575f08.exe
PID 3772 wrote to memory of 3976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575f08.exe
PID 3772 wrote to memory of 2152 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575f46.exe
PID 3772 wrote to memory of 2152 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575f46.exe
PID 3772 wrote to memory of 2152 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575f46.exe
PID 4400 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\system32\fontdrvhost.exe
PID 4400 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\system32\fontdrvhost.exe
PID 4400 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\system32\dwm.exe
PID 4400 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\system32\sihost.exe
PID 4400 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\system32\svchost.exe
PID 4400 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\system32\taskhostw.exe
PID 4400 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\Explorer.EXE
PID 4400 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\system32\svchost.exe
PID 4400 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\system32\DllHost.exe
PID 4400 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4400 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\System32\RuntimeBroker.exe
PID 4400 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4400 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\System32\RuntimeBroker.exe
PID 4400 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4400 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\System32\RuntimeBroker.exe
PID 4400 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Users\Admin\AppData\Local\Temp\e5745a4.exe
PID 4400 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Users\Admin\AppData\Local\Temp\e5745a4.exe
PID 4400 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\System32\RuntimeBroker.exe
PID 4400 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Windows\System32\RuntimeBroker.exe
PID 4400 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Users\Admin\AppData\Local\Temp\e575f08.exe
PID 4400 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Users\Admin\AppData\Local\Temp\e575f08.exe
PID 4400 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Users\Admin\AppData\Local\Temp\e575f46.exe
PID 4400 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\e574333.exe C:\Users\Admin\AppData\Local\Temp\e575f46.exe
PID 2152 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e575f46.exe C:\Windows\system32\fontdrvhost.exe
PID 2152 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e575f46.exe C:\Windows\system32\fontdrvhost.exe
PID 2152 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e575f46.exe C:\Windows\system32\dwm.exe
PID 2152 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\e575f46.exe C:\Windows\system32\sihost.exe
PID 2152 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\e575f46.exe C:\Windows\system32\svchost.exe
PID 2152 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\e575f46.exe C:\Windows\system32\taskhostw.exe
PID 2152 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\e575f46.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575f46.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c3f90c2ecf7af272f352028a42a1398825fa0dc5a0cf57469d9ee16a7ed18b38.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c3f90c2ecf7af272f352028a42a1398825fa0dc5a0cf57469d9ee16a7ed18b38.dll,#1

C:\Users\Admin\AppData\Local\Temp\e574333.exe

C:\Users\Admin\AppData\Local\Temp\e574333.exe

C:\Users\Admin\AppData\Local\Temp\e5745a4.exe

C:\Users\Admin\AppData\Local\Temp\e5745a4.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e575f08.exe

C:\Users\Admin\AppData\Local\Temp\e575f08.exe

C:\Users\Admin\AppData\Local\Temp\e575f46.exe

C:\Users\Admin\AppData\Local\Temp\e575f46.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3772-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e574333.exe

MD5 e4cd16c8d45c55df2771ce91fc51d3c9
SHA1 69a69fa0d0745b6fcef81d1e304ea468849f7cda
SHA256 d67910e7b194c46ed3c3cc46f5af7e7a4e2072297a196e2e4990850ad80f6467
SHA512 f5da562a00e4358c2dba24cbe4551824bda59798a32831cc28cb3bb9b40b3dff6399eaf474aebed83994b55f389bbd49a5815be827b9ae6a75fc596dbb7a28b8

memory/4400-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4400-8-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-9-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-12-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-11-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-14-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-19-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4632-36-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4400-21-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-35-0x0000000001A30000-0x0000000001A32000-memory.dmp

memory/4400-31-0x0000000001A30000-0x0000000001A32000-memory.dmp

memory/3772-30-0x00000000014C0000-0x00000000014C1000-memory.dmp

memory/3772-29-0x0000000001230000-0x0000000001232000-memory.dmp

memory/4400-20-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/3772-26-0x0000000001230000-0x0000000001232000-memory.dmp

memory/4400-25-0x0000000004230000-0x0000000004231000-memory.dmp

memory/3772-22-0x0000000001230000-0x0000000001232000-memory.dmp

memory/4400-10-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-34-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-37-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-38-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-39-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-40-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-41-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-43-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-44-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/3976-50-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2152-57-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4400-58-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-60-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-61-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2152-71-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3976-70-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/4632-69-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2152-68-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3976-66-0x00000000004A0000-0x00000000004A1000-memory.dmp

memory/4632-64-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2152-74-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3976-73-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/4632-72-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4400-75-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-76-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-79-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-82-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-84-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-85-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-87-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-89-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-91-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-93-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-100-0x0000000001A30000-0x0000000001A32000-memory.dmp

memory/4400-95-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4400-112-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4632-116-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 bc25bc68ec46109190d7cba3a6fbbf66
SHA1 9e4e2f16d2326f94e964a963c9a0d381e90ab8c4
SHA256 a270841cef22125da836379ab67e40846adca4b290844734c4fb01e8e13845a3
SHA512 db906693cc5660571684bfbcba82b96d2a25adad384df2c9377abcf0d306bf95f7af1e4ce4ae8c122780661f140ac7feafa809df7aafcb86cd0e61d34f20c2bc

memory/2152-133-0x0000000000B40000-0x0000000001BFA000-memory.dmp

memory/3976-144-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2152-162-0x0000000000B40000-0x0000000001BFA000-memory.dmp

memory/2152-163-0x0000000000400000-0x0000000000412000-memory.dmp