Malware Analysis Report

2024-09-11 12:19

Sample ID 240618-zxd97a1blj
Target 484ef377a8a3a666c5360bc148cfaf3307b069a99c1cfffd9035144ff84b49ff
SHA256 484ef377a8a3a666c5360bc148cfaf3307b069a99c1cfffd9035144ff84b49ff
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

484ef377a8a3a666c5360bc148cfaf3307b069a99c1cfffd9035144ff84b49ff

Threat Level: Known bad

The file 484ef377a8a3a666c5360bc148cfaf3307b069a99c1cfffd9035144ff84b49ff was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

Windows security bypass

UAC bypass

Sality

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

Loads dropped DLL

Windows security modification

Executes dropped EXE

UPX packed file

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Disable or Modify System Firewall
T1562.004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-18 21:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 21:05

Reported

2024-06-18 21:08

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762d09.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
File created C:\Windows\f7661ee C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A
File created C:\Windows\f7611bc C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 1208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1848 wrote to memory of 1208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1848 wrote to memory of 1208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1848 wrote to memory of 1208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1848 wrote to memory of 1208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1848 wrote to memory of 1208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1848 wrote to memory of 1208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1208 wrote to memory of 2464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761140.exe
PID 1208 wrote to memory of 2464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761140.exe
PID 1208 wrote to memory of 2464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761140.exe
PID 1208 wrote to memory of 2464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761140.exe
PID 2464 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Windows\system32\taskhost.exe
PID 2464 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Windows\system32\Dwm.exe
PID 2464 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Windows\system32\DllHost.exe
PID 2464 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Windows\system32\rundll32.exe
PID 2464 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Windows\SysWOW64\rundll32.exe
PID 2464 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Windows\SysWOW64\rundll32.exe
PID 1208 wrote to memory of 2676 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7612d5.exe
PID 1208 wrote to memory of 2676 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7612d5.exe
PID 1208 wrote to memory of 2676 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7612d5.exe
PID 1208 wrote to memory of 2676 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7612d5.exe
PID 1208 wrote to memory of 1896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762d09.exe
PID 1208 wrote to memory of 1896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762d09.exe
PID 1208 wrote to memory of 1896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762d09.exe
PID 1208 wrote to memory of 1896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762d09.exe
PID 2464 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Windows\system32\taskhost.exe
PID 2464 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Windows\system32\Dwm.exe
PID 2464 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Users\Admin\AppData\Local\Temp\f7612d5.exe
PID 2464 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Users\Admin\AppData\Local\Temp\f7612d5.exe
PID 2464 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Users\Admin\AppData\Local\Temp\f762d09.exe
PID 2464 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\f761140.exe C:\Users\Admin\AppData\Local\Temp\f762d09.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761140.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7612d5.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\484ef377a8a3a666c5360bc148cfaf3307b069a99c1cfffd9035144ff84b49ff.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\484ef377a8a3a666c5360bc148cfaf3307b069a99c1cfffd9035144ff84b49ff.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761140.exe

C:\Users\Admin\AppData\Local\Temp\f761140.exe

C:\Users\Admin\AppData\Local\Temp\f7612d5.exe

C:\Users\Admin\AppData\Local\Temp\f7612d5.exe

C:\Users\Admin\AppData\Local\Temp\f762d09.exe

C:\Users\Admin\AppData\Local\Temp\f762d09.exe

Network

N/A

Files

memory/1208-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f761140.exe

MD5 5b1ac9ee9515ff6c1d25337cfd1daea8
SHA1 4757bbfe5fc033c6e359f58930404dff9cfbc0a9
SHA256 e1e1f9df2c2f3f40895633ff00b9d91fa26aa811f00c14918456c19921d5077b
SHA512 288bfaf6387dbb48c69328eae412d2318d9a13637e5a41538a83dccaf9c1039b2fb32a19f2730af39071ae3dc210623ca1842bf8018cfa43e745e47d62980222

memory/2464-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1208-10-0x00000000001C0000-0x00000000001D2000-memory.dmp

memory/1208-4-0x00000000001C0000-0x00000000001D2000-memory.dmp

memory/2464-15-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2464-17-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2464-20-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2464-22-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2464-21-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2464-14-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2464-19-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2464-18-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2464-16-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/1208-33-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2464-49-0x0000000000330000-0x0000000000332000-memory.dmp

memory/2464-50-0x0000000000330000-0x0000000000332000-memory.dmp

memory/2464-47-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/1208-46-0x0000000000200000-0x0000000000201000-memory.dmp

memory/1208-37-0x0000000000200000-0x0000000000201000-memory.dmp

memory/1112-26-0x0000000000450000-0x0000000000452000-memory.dmp

memory/2464-23-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/1208-59-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2676-61-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1208-57-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1208-58-0x0000000000210000-0x0000000000222000-memory.dmp

memory/2464-62-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2464-63-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2464-64-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2464-66-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2464-65-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2464-68-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2464-69-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/1896-82-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1208-81-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/1208-79-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2464-84-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2464-85-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2464-87-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2464-88-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/1896-101-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2676-96-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2676-98-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1896-102-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/1896-104-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2676-103-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2464-106-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2464-108-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2464-119-0x0000000000330000-0x0000000000332000-memory.dmp

memory/2464-154-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2464-153-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2676-166-0x0000000000950000-0x0000000001A0A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 f844ecac7816ead5b068e7a97da830b2
SHA1 a9497474be57632f86a2b4e0a72ac9e79c1025f0
SHA256 d23cf0444206dc9d71aa8b1c0176594055727bedbc48e853c38d9fae1070a649
SHA512 611a91dd26290a01114ca71841380dee916d264748963596d2d4cf2b20f150ed084576410628b5b7a88bc6922de57a7fdd2227fd4c4250362fe4e774009df585

memory/2676-179-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2676-180-0x0000000000950000-0x0000000001A0A000-memory.dmp

memory/1896-184-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 21:05

Reported

2024-06-18 21:08

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

127s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57e119.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e580c7e.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57e04e C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
File created C:\Windows\e5833ad C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 212 wrote to memory of 3592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 212 wrote to memory of 3592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 212 wrote to memory of 3592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3592 wrote to memory of 3212 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe
PID 3592 wrote to memory of 3212 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe
PID 3592 wrote to memory of 3212 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe
PID 3212 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\system32\fontdrvhost.exe
PID 3212 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\system32\fontdrvhost.exe
PID 3212 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\system32\dwm.exe
PID 3212 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\system32\sihost.exe
PID 3212 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\system32\svchost.exe
PID 3212 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\system32\taskhostw.exe
PID 3212 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\Explorer.EXE
PID 3212 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\system32\svchost.exe
PID 3212 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\system32\DllHost.exe
PID 3212 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3212 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\System32\RuntimeBroker.exe
PID 3212 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3212 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\System32\RuntimeBroker.exe
PID 3212 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\System32\RuntimeBroker.exe
PID 3212 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3212 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3212 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\system32\rundll32.exe
PID 3212 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\SysWOW64\rundll32.exe
PID 3212 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\SysWOW64\rundll32.exe
PID 3592 wrote to memory of 1036 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e119.exe
PID 3592 wrote to memory of 1036 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e119.exe
PID 3592 wrote to memory of 1036 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e119.exe
PID 3212 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\system32\fontdrvhost.exe
PID 3212 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\system32\fontdrvhost.exe
PID 3212 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\system32\dwm.exe
PID 3212 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\system32\sihost.exe
PID 3212 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\system32\svchost.exe
PID 3212 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\system32\taskhostw.exe
PID 3212 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\Explorer.EXE
PID 3212 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\system32\svchost.exe
PID 3212 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\system32\DllHost.exe
PID 3212 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3212 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\System32\RuntimeBroker.exe
PID 3212 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3212 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\System32\RuntimeBroker.exe
PID 3212 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\System32\RuntimeBroker.exe
PID 3212 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3212 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3212 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\system32\rundll32.exe
PID 3212 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Users\Admin\AppData\Local\Temp\e57e119.exe
PID 3212 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Users\Admin\AppData\Local\Temp\e57e119.exe
PID 3212 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3212 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\System32\RuntimeBroker.exe
PID 3212 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe C:\Windows\System32\RuntimeBroker.exe
PID 3592 wrote to memory of 4844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e580c20.exe
PID 3592 wrote to memory of 4844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e580c20.exe
PID 3592 wrote to memory of 4844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e580c20.exe
PID 3592 wrote to memory of 3916 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e580c7e.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffd9946ceb8,0x7ffd9946cec4,0x7ffd9946ced0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2296,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=2292 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1876,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=2432 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2400,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=3420 /prefetch:8

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\484ef377a8a3a666c5360bc148cfaf3307b069a99c1cfffd9035144ff84b49ff.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\484ef377a8a3a666c5360bc148cfaf3307b069a99c1cfffd9035144ff84b49ff.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe

C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe

C:\Users\Admin\AppData\Local\Temp\e57e119.exe

C:\Users\Admin\AppData\Local\Temp\e57e119.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4612,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:8

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e580c20.exe

C:\Users\Admin\AppData\Local\Temp\e580c20.exe

C:\Users\Admin\AppData\Local\Temp\e580c7e.exe

C:\Users\Admin\AppData\Local\Temp\e580c7e.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\e57dfc1.exe

MD5 5b1ac9ee9515ff6c1d25337cfd1daea8
SHA1 4757bbfe5fc033c6e359f58930404dff9cfbc0a9
SHA256 e1e1f9df2c2f3f40895633ff00b9d91fa26aa811f00c14918456c19921d5077b
SHA512 288bfaf6387dbb48c69328eae412d2318d9a13637e5a41538a83dccaf9c1039b2fb32a19f2730af39071ae3dc210623ca1842bf8018cfa43e745e47d62980222

memory/3592-3-0x0000000010000000-0x0000000010020000-memory.dmp

memory/3212-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3212-6-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-11-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-10-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3592-26-0x0000000000B00000-0x0000000000B02000-memory.dmp

memory/3212-12-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-27-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-30-0x0000000003660000-0x0000000003662000-memory.dmp

memory/3212-28-0x0000000003660000-0x0000000003662000-memory.dmp

memory/3592-25-0x0000000000B10000-0x0000000000B11000-memory.dmp

memory/3592-19-0x0000000000B00000-0x0000000000B02000-memory.dmp

memory/3592-13-0x0000000000B00000-0x0000000000B02000-memory.dmp

memory/3212-16-0x0000000003D30000-0x0000000003D31000-memory.dmp

memory/3212-9-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-8-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-33-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-31-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-34-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-36-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-37-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-38-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-39-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-40-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/1036-43-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1036-44-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1036-45-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3212-46-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/4844-51-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3592-56-0x0000000000B00000-0x0000000000B02000-memory.dmp

memory/3212-59-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-60-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-62-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-63-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-65-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-66-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-69-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-71-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-72-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-84-0x0000000003660000-0x0000000003662000-memory.dmp

memory/3212-77-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3212-92-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1036-96-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 50116709c013a768e7b305ab53e5b9d0
SHA1 e6ec6c0871ed9fa2abab50e06defb4b4e78fae57
SHA256 4db5b8d45ac24997729abcecaa679d42616a31dc1d3af7abd2a6956836ed11ba
SHA512 2ebceffa89cee25b32eacf23f4ca48d28bfb16480535a6e7fcff51444a3585ca56b0dcf2358799ea8d8d1057d20cb3d94371489f3c3f479c53f8e9bb525b0c8f

memory/4844-112-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4844-157-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4844-156-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3916-155-0x0000000000400000-0x0000000000412000-memory.dmp