Malware Analysis Report

2024-09-11 12:18

Sample ID 240617-ecv2zssgjg
Target ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2
SHA256 ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2
Tags
sality backdoor evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2

Threat Level: Known bad

The file ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion persistence trojan upx

Modifies firewall policy service

UAC bypass

Sality

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Modifies visibility of file extensions in Explorer

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Executes dropped EXE

Windows security modification

UPX packed file

Loads dropped DLL

Deletes itself

Enumerates connected drives

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System policy modification

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 03:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 03:48

Reported

2024-06-17 03:50

Platform

win7-20240221-en

Max time kernel

10s

Max time network

19s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\system32\taskhost.exe
PID 2856 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\system32\Dwm.exe
PID 2856 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\Explorer.EXE
PID 2856 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\system32\DllHost.exe
PID 2856 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2856 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2856 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2856 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2856 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2856 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2856 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2464 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\taskhost.exe
PID 2464 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\Dwm.exe
PID 2464 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\DllHost.exe
PID 2856 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\system32\taskhost.exe
PID 2856 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\system32\Dwm.exe
PID 2856 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\Explorer.EXE
PID 2856 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\system32\DllHost.exe
PID 2856 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2856 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2856 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2856 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2856 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2856 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2856 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2464 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\taskhost.exe
PID 2464 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\Dwm.exe
PID 2464 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe

"C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

Network

N/A

Files

memory/2856-1-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2856-7-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-3-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-10-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-11-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-15-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-29-0x0000000000240000-0x0000000000242000-memory.dmp

memory/2856-28-0x0000000000240000-0x0000000000242000-memory.dmp

memory/2856-27-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2856-25-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2856-24-0x0000000000240000-0x0000000000242000-memory.dmp

memory/1116-17-0x0000000002070000-0x0000000002072000-memory.dmp

memory/2856-9-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-8-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-6-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-4-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-5-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-31-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-16-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-35-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-34-0x0000000002820000-0x00000000038AE000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

MD5 7b279432c17d041b0f923b1d84fbd3b5
SHA1 f6a2ef3a0030deaa01d38d28fd80304daa77a960
SHA256 ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2
SHA512 4b889f36b1eec440b54328d41e572200856ea6d11954830b7fda68574395f6ec342cdcf97e0a98ea106e41ad27ff425a944a3b70bb29725b8dfc60c250f2e33e

memory/2856-38-0x000000000A3D0000-0x000000000A492000-memory.dmp

memory/2464-62-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-67-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-70-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-83-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2464-82-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2464-81-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2464-78-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2464-69-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-68-0x00000000028F0000-0x000000000397E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0F7630E0_Rar\rundll32.exe

MD5 9f4ad2e1a21330ed5442d666e37a3b47
SHA1 af241db65197924eab63e20fd481bbdd8aafb053
SHA256 d895f7d839dedecac0558587ec722eb06ecf352399380aa6137052e1bc168783
SHA512 c9763e0c148ac7ced9263256afaae6d08de6a6b42a688df91d2faf7973ae725da9ed74cd88f1393ce6aa96e8bd227da9c0c7421af2be21427c3d102bd7018dfb

memory/2464-87-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-65-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-64-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-63-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-66-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-61-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-60-0x00000000028F0000-0x000000000397E000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 694efca7fdc05a6fbc31a8dc1745a93c
SHA1 2b7d4c99cdd893296da9d9cce8bda12c741ef709
SHA256 43b37387ef2a3eff4718a537199c63035d14074090436bdd9f16e9439395830d
SHA512 9298e880abc2705e1e4e3ec66180872f3d8b2905e1d96c8718731a24c4519cb427421029adae47b93f756b02c776fdc0d42f34303a62c0258540b66f6717cb6c

memory/2464-58-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2856-57-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2464-42-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2464-150-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2856-1-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2856-7-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-3-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-10-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-11-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-15-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-29-0x0000000000240000-0x0000000000242000-memory.dmp

memory/2856-28-0x0000000000240000-0x0000000000242000-memory.dmp

memory/2856-27-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2856-25-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2856-24-0x0000000000240000-0x0000000000242000-memory.dmp

memory/1116-17-0x0000000002070000-0x0000000002072000-memory.dmp

memory/2856-9-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-8-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-6-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-4-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-5-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-31-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-16-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-35-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-34-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/2856-38-0x000000000A3D0000-0x000000000A492000-memory.dmp

memory/2464-62-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-67-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-70-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-83-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2464-82-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2464-81-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2464-78-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2464-69-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-68-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-87-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-65-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-64-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-63-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-66-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-61-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-60-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2464-58-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2856-57-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2464-42-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2464-150-0x00000000028F0000-0x000000000397E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 03:48

Reported

2024-06-17 03:50

Platform

win10v2004-20240611-en

Max time kernel

30s

Max time network

101s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 948 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\system32\fontdrvhost.exe
PID 948 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\system32\fontdrvhost.exe
PID 948 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\system32\dwm.exe
PID 948 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\system32\sihost.exe
PID 948 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\system32\svchost.exe
PID 948 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\system32\taskhostw.exe
PID 948 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\Explorer.EXE
PID 948 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\system32\svchost.exe
PID 948 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\system32\DllHost.exe
PID 948 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 948 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\System32\RuntimeBroker.exe
PID 948 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 948 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\System32\RuntimeBroker.exe
PID 948 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\System32\RuntimeBroker.exe
PID 948 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 948 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\system32\backgroundTaskHost.exe
PID 948 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Windows\system32\backgroundTaskHost.exe
PID 948 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 948 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 948 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2928 wrote to memory of 820 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 2928 wrote to memory of 828 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 2928 wrote to memory of 384 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\dwm.exe
PID 2928 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\sihost.exe
PID 2928 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 2928 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\taskhostw.exe
PID 2928 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\Explorer.EXE
PID 2928 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 2928 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\DllHost.exe
PID 2928 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2928 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2928 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2928 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2928 wrote to memory of 372 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2928 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2928 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2928 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2928 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2928 wrote to memory of 820 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 2928 wrote to memory of 828 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 2928 wrote to memory of 384 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\dwm.exe
PID 2928 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\sihost.exe
PID 2928 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 2928 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\taskhostw.exe
PID 2928 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\Explorer.EXE
PID 2928 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 2928 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\DllHost.exe
PID 2928 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2928 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2928 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2928 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2928 wrote to memory of 372 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2928 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2928 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2928 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2928 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe

"C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/948-0-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/948-3-0x0000000002FD0000-0x000000000405E000-memory.dmp

memory/948-1-0x0000000002FD0000-0x000000000405E000-memory.dmp

memory/948-7-0x0000000002FD0000-0x000000000405E000-memory.dmp

memory/948-11-0x0000000002FD0000-0x000000000405E000-memory.dmp

memory/948-12-0x0000000002FD0000-0x000000000405E000-memory.dmp

memory/948-8-0x0000000002FD0000-0x000000000405E000-memory.dmp

memory/948-15-0x00000000009C0000-0x00000000009C2000-memory.dmp

memory/948-14-0x0000000002FD0000-0x000000000405E000-memory.dmp

memory/948-13-0x00000000009C0000-0x00000000009C2000-memory.dmp

memory/948-6-0x0000000002FD0000-0x000000000405E000-memory.dmp

memory/948-5-0x0000000002FD0000-0x000000000405E000-memory.dmp

memory/948-10-0x00000000009D0000-0x00000000009D1000-memory.dmp

memory/948-9-0x00000000009C0000-0x00000000009C2000-memory.dmp

memory/948-22-0x0000000002FD0000-0x000000000405E000-memory.dmp

memory/948-21-0x0000000002FD0000-0x000000000405E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

MD5 7b279432c17d041b0f923b1d84fbd3b5
SHA1 f6a2ef3a0030deaa01d38d28fd80304daa77a960
SHA256 ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2
SHA512 4b889f36b1eec440b54328d41e572200856ea6d11954830b7fda68574395f6ec342cdcf97e0a98ea106e41ad27ff425a944a3b70bb29725b8dfc60c250f2e33e

memory/948-36-0x0000000002FD0000-0x000000000405E000-memory.dmp

memory/948-42-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/948-23-0x0000000002FD0000-0x000000000405E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0E574C3B_Rar\rundll32.exe

MD5 9f4ad2e1a21330ed5442d666e37a3b47
SHA1 af241db65197924eab63e20fd481bbdd8aafb053
SHA256 d895f7d839dedecac0558587ec722eb06ecf352399380aa6137052e1bc168783
SHA512 c9763e0c148ac7ced9263256afaae6d08de6a6b42a688df91d2faf7973ae725da9ed74cd88f1393ce6aa96e8bd227da9c0c7421af2be21427c3d102bd7018dfb

memory/948-31-0x00000000009C0000-0x00000000009C2000-memory.dmp

memory/2928-27-0x0000000000400000-0x00000000004C2000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 9e19af823b490dcd28a0ce4e6b624094
SHA1 a998ace5fded07d3fde6e29440580d067c133b1a
SHA256 5ca6b54541a1396a92226aac4cd4e1e7b7e9698999a9dab376c4fc6efcf68ffa
SHA512 882eef18df09046826d433705e640f27cc40c81c9de5025839bf013af7afb6a619ca886c8a840286438978d9aa355cc3cdf68a4c01d30a13801a5a80777600cd

memory/2928-53-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-50-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-49-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-48-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-46-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-52-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-60-0x0000000000D80000-0x0000000000D82000-memory.dmp

memory/2928-59-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-58-0x0000000000D80000-0x0000000000D82000-memory.dmp

memory/2928-51-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-57-0x0000000000D90000-0x0000000000D91000-memory.dmp

memory/2928-54-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-55-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-61-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-62-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-66-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-67-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-68-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-70-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-71-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-72-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-74-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-75-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-77-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-78-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-82-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-84-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-85-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-117-0x0000000004FC0000-0x000000000604E000-memory.dmp

memory/2928-119-0x0000000000D80000-0x0000000000D82000-memory.dmp

C:\alvryx.pif

MD5 414984de22f7e6b9c1a3260ced4b744a
SHA1 9d47eb498b0c386827fa0cc804ac4f918089e6bc
SHA256 5b524bb7378d6f3062b1ae5c7deab6a6dd07fe41eadf0ea253f9b97794af26c9
SHA512 eb99a5404f59b77ca9462350253c35166bfef9b4dd5018e4a86d7ffbbad4617b01606df74b5b5c0e306773c0486345ce25116a4fbafdbd0315dbda83a2044f11

memory/2928-143-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2928-144-0x0000000004FC0000-0x000000000604E000-memory.dmp