Malware Analysis Report

2025-06-16 06:59

Sample ID 241104-efsq2atdln
Target 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN
SHA256 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386f
Tags
sality backdoor discovery evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386f

Threat Level: Known bad

The file 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN was found to be: Known bad.

Malicious Activity Summary

sality backdoor discovery evasion trojan upx

Sality family

Windows security bypass

UAC bypass

Modifies firewall policy service

Sality

Executes dropped EXE

Loads dropped DLL

Windows security modification

Deletes itself

Enumerates connected drives

Checks whether UAC is enabled

UPX packed file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 03:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 03:53

Reported

2024-11-04 03:55

Platform

win7-20240903-en

Max time kernel

23s

Max time network

119s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\system32\taskhost.exe
PID 2100 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\system32\Dwm.exe
PID 2100 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\Explorer.EXE
PID 2100 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\system32\DllHost.exe
PID 2100 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
PID 2100 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
PID 2100 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
PID 2100 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
PID 2328 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\taskhost.exe
PID 2328 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\Dwm.exe
PID 2328 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\Explorer.EXE
PID 2328 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\DllHost.exe
PID 2328 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\taskhost.exe
PID 2328 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\Dwm.exe
PID 2328 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\Explorer.EXE
PID 2328 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\DllHost.exe
PID 2328 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe

"C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

Network

Country Destination Domain Proto
US 8.8.8.8:53 i-4101.b-5871.utweb.bench.utorrent.com udp
US 52.54.104.164:80 i-4101.b-5871.utweb.bench.utorrent.com tcp

Files

memory/2100-0-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2100-1-0x0000000001DC0000-0x0000000002E4E000-memory.dmp

memory/2100-3-0x0000000001DC0000-0x0000000002E4E000-memory.dmp

memory/2100-7-0x0000000001DC0000-0x0000000002E4E000-memory.dmp

memory/2100-5-0x0000000001DC0000-0x0000000002E4E000-memory.dmp

memory/2100-4-0x0000000001DC0000-0x0000000002E4E000-memory.dmp

memory/2100-27-0x0000000002F70000-0x0000000002F72000-memory.dmp

memory/2100-26-0x0000000002F70000-0x0000000002F72000-memory.dmp

memory/2100-8-0x0000000001DC0000-0x0000000002E4E000-memory.dmp

memory/2100-25-0x00000000045C0000-0x00000000045C1000-memory.dmp

memory/2100-22-0x00000000045C0000-0x00000000045C1000-memory.dmp

memory/2100-21-0x0000000002F70000-0x0000000002F72000-memory.dmp

memory/1104-14-0x00000000004F0000-0x00000000004F2000-memory.dmp

memory/2100-11-0x0000000001DC0000-0x0000000002E4E000-memory.dmp

memory/2100-9-0x0000000001DC0000-0x0000000002E4E000-memory.dmp

memory/2100-6-0x0000000001DC0000-0x0000000002E4E000-memory.dmp

memory/2100-10-0x0000000001DC0000-0x0000000002E4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

MD5 76e4c67f2f63c5b0cf1c17fb6c43c760
SHA1 bcaccce30f728ba7efe489a16c8f14235347967f
SHA256 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386f
SHA512 78a3c9a8cb544ff23eac16bfaf5c5c417f2f945573f031880fb8a9a4da0bc693361e19428cc01e2bb3e7c89743e8ad6476dcd95904019c9eff4cafc0f5fe67d7

memory/2100-32-0x0000000004DB0000-0x0000000004E21000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsoD6B1.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

memory/2100-36-0x0000000001DC0000-0x0000000002E4E000-memory.dmp

memory/2100-65-0x0000000002F70000-0x0000000002F72000-memory.dmp

memory/2100-37-0x0000000001DC0000-0x0000000002E4E000-memory.dmp

memory/2100-75-0x0000000001DC0000-0x0000000002E4E000-memory.dmp

memory/2100-74-0x0000000000400000-0x0000000000471000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsoD6B1.tmp\nsDialogs.dll

MD5 6c3f8c94d0727894d706940a8a980543
SHA1 0d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA256 56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA512 2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

\Users\Admin\AppData\Local\Temp\nsoD6B1.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

C:\Users\Admin\AppData\Local\Temp\0F76D6B0_Rar\Un_A.exe

MD5 0a5c25e3cd2be05bd66d913daf651928
SHA1 3077abd0e78b2c8c441944130e98df74b9843693
SHA256 7de0b18ce9840e97ec87f948ab0ed8fff2ad4d47b8eb160c6f15bb02fc55fa04
SHA512 aef0fd28a641f1b29c7d69e0e9beef08ea4f32d6381cfa18fb75e6a5d4a5b690321c1fb2ec9e05a3dbbfc17f3ec84d648f89105547586ea2d8cfb1b7b179e283

memory/2328-80-0x0000000004020000-0x00000000050AE000-memory.dmp

memory/2328-87-0x0000000004020000-0x00000000050AE000-memory.dmp

memory/2328-85-0x0000000004020000-0x00000000050AE000-memory.dmp

memory/2328-79-0x0000000004020000-0x00000000050AE000-memory.dmp

memory/2328-84-0x0000000004020000-0x00000000050AE000-memory.dmp

memory/2328-82-0x0000000004020000-0x00000000050AE000-memory.dmp

memory/2328-100-0x0000000002030000-0x0000000002032000-memory.dmp

memory/2328-101-0x0000000002030000-0x0000000002032000-memory.dmp

memory/2328-78-0x0000000004020000-0x00000000050AE000-memory.dmp

memory/2328-99-0x0000000002040000-0x0000000002041000-memory.dmp

memory/2328-81-0x0000000004020000-0x00000000050AE000-memory.dmp

memory/2328-86-0x0000000004020000-0x00000000050AE000-memory.dmp

memory/2328-83-0x0000000004020000-0x00000000050AE000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 3ff5ddaa0118f8a7eabb12c1d7fec551
SHA1 e3630628b949c730f58da105e1906e3995c48ce3
SHA256 6da8f40cd5052b6c3e2b4b9738f9e1e6c7b83a32db4acd9ec0e7a7276db23d3b
SHA512 c46cb8ddb8d5ea9a12f892a885e3ce0a568ff56a22a4a1fe224e20b912041d32530d44449001867d15a47a5b2ab3158672c527926cb373e2b365f2bb52e07f00

memory/2328-88-0x0000000004020000-0x00000000050AE000-memory.dmp

memory/2328-102-0x0000000004020000-0x00000000050AE000-memory.dmp

memory/2328-103-0x0000000004020000-0x00000000050AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsoD6B1.tmp\FindProcDLL.dll

MD5 b4faf654de4284a89eaf7d073e4e1e63
SHA1 8efcfd1ca648e942cbffd27af429784b7fcf514b
SHA256 c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3
SHA512 eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388

\Users\Admin\AppData\Local\Temp\nsoD6B1.tmp\nsisFirewall.dll

MD5 f5bf81a102de52a4add21b8a367e54e0
SHA1 cf1e76ffe4a3ecd4dad453112afd33624f16751c
SHA256 53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2
SHA512 6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

\Users\Admin\AppData\Local\Temp\nsoD6B1.tmp\INetC.dll

MD5 640bff73a5f8e37b202d911e4749b2e9
SHA1 9588dd7561ab7de3bca392b084bec91f3521c879
SHA256 c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502
SHA512 39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

memory/2328-104-0x0000000004020000-0x00000000050AE000-memory.dmp

memory/2328-137-0x0000000004020000-0x00000000050AE000-memory.dmp

memory/2328-143-0x0000000004020000-0x00000000050AE000-memory.dmp

C:\ktkgem.pif

MD5 fa33dec2644158a59fdc46ef6a77d945
SHA1 648f603e00315b6afad1d0e7d6fa5610aab7fc07
SHA256 09390989b3dcc99d525b2e434e782995aadf632b8ba9aa2d69e86da1e1b2f106
SHA512 d8e4929c3a781bf405be2288cefc33fb7b9d1b838b4f36ca6eed1ef82aa887e7837b3f13b9f7f479edeef6d36fbd44d222f713ad8c6b9649a01b9c8c75a7542e

memory/2328-229-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 03:53

Reported

2024-11-04 03:55

Platform

win10v2004-20241007-en

Max time kernel

36s

Max time network

105s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\system32\fontdrvhost.exe
PID 4068 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\system32\fontdrvhost.exe
PID 4068 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\system32\dwm.exe
PID 4068 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\system32\sihost.exe
PID 4068 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\system32\svchost.exe
PID 4068 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\system32\taskhostw.exe
PID 4068 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\Explorer.EXE
PID 4068 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\system32\svchost.exe
PID 4068 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\system32\DllHost.exe
PID 4068 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4068 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\System32\RuntimeBroker.exe
PID 4068 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4068 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\System32\RuntimeBroker.exe
PID 4068 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4068 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\System32\RuntimeBroker.exe
PID 4068 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4068 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4068 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
PID 4068 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
PID 4068 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
PID 3492 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\fontdrvhost.exe
PID 3492 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\fontdrvhost.exe
PID 3492 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\dwm.exe
PID 3492 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\sihost.exe
PID 3492 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\svchost.exe
PID 3492 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\taskhostw.exe
PID 3492 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\Explorer.EXE
PID 3492 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\svchost.exe
PID 3492 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\DllHost.exe
PID 3492 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3492 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\System32\RuntimeBroker.exe
PID 3492 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3492 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\System32\RuntimeBroker.exe
PID 3492 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3492 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\System32\RuntimeBroker.exe
PID 3492 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3492 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3492 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\fontdrvhost.exe
PID 3492 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\fontdrvhost.exe
PID 3492 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\dwm.exe
PID 3492 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\sihost.exe
PID 3492 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\svchost.exe
PID 3492 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\taskhostw.exe
PID 3492 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\Explorer.EXE
PID 3492 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\svchost.exe
PID 3492 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\DllHost.exe
PID 3492 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3492 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\System32\RuntimeBroker.exe
PID 3492 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3492 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\System32\RuntimeBroker.exe
PID 3492 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3492 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\System32\RuntimeBroker.exe
PID 3492 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3492 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3492 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\BackgroundTaskHost.exe
PID 3492 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\System32\RuntimeBroker.exe
PID 3492 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\System32\RuntimeBroker.exe
PID 3492 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\fontdrvhost.exe
PID 3492 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\fontdrvhost.exe
PID 3492 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\dwm.exe
PID 3492 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\sihost.exe
PID 3492 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\svchost.exe
PID 3492 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\system32\taskhostw.exe
PID 3492 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe

"C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\

C:\Windows\system32\BackgroundTaskHost.exe

"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 i-4101.b-5871.utweb.bench.utorrent.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 34.194.202.171:80 i-4101.b-5871.utweb.bench.utorrent.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 171.202.194.34.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/4068-0-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4068-1-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/4068-4-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/4068-9-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/4068-13-0x0000000003C70000-0x0000000003C72000-memory.dmp

memory/4068-11-0x0000000003C70000-0x0000000003C72000-memory.dmp

memory/4068-5-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/4068-6-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/4068-10-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/4068-21-0x0000000002270000-0x00000000032FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

MD5 76e4c67f2f63c5b0cf1c17fb6c43c760
SHA1 bcaccce30f728ba7efe489a16c8f14235347967f
SHA256 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386f
SHA512 78a3c9a8cb544ff23eac16bfaf5c5c417f2f945573f031880fb8a9a4da0bc693361e19428cc01e2bb3e7c89743e8ad6476dcd95904019c9eff4cafc0f5fe67d7

memory/4068-7-0x0000000003C70000-0x0000000003C72000-memory.dmp

memory/4068-8-0x0000000004070000-0x0000000004071000-memory.dmp

memory/4068-3-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/3492-30-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4068-31-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0E57B1DB_Rar\Un_A.exe

MD5 0a5c25e3cd2be05bd66d913daf651928
SHA1 3077abd0e78b2c8c441944130e98df74b9843693
SHA256 7de0b18ce9840e97ec87f948ab0ed8fff2ad4d47b8eb160c6f15bb02fc55fa04
SHA512 aef0fd28a641f1b29c7d69e0e9beef08ea4f32d6381cfa18fb75e6a5d4a5b690321c1fb2ec9e05a3dbbfc17f3ec84d648f89105547586ea2d8cfb1b7b179e283

C:\Users\Admin\AppData\Local\Temp\nsxB1EC.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

C:\Users\Admin\AppData\Local\Temp\nsxB1EC.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

C:\Users\Admin\AppData\Local\Temp\nsxB1EC.tmp\nsDialogs.dll

MD5 6c3f8c94d0727894d706940a8a980543
SHA1 0d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA256 56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA512 2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

C:\Windows\SYSTEM.INI

MD5 c49772446d4a57b9a8a7b09847fe5553
SHA1 4f6217a648478a2f8436c6598f9d1e9ddf6dc916
SHA256 16f8bb0efed92c0d44e3bb591cfa2b495b2b42697250195bd5024e85a74c83f7
SHA512 6066c717ebe250251e68e5c3034df41ac7a2dd282602163043a7b2b1e6a5e5a147c7c7e93b56927fb965697ab0886eb0102e2abfdab134f0b0dcc4ea4685966a

memory/3492-57-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-62-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-61-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-64-0x0000000003860000-0x0000000003862000-memory.dmp

memory/3492-56-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-54-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-55-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-59-0x0000000006160000-0x0000000006161000-memory.dmp

memory/3492-53-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-51-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-60-0x0000000003860000-0x0000000003862000-memory.dmp

memory/3492-63-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-67-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-66-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsxB1EC.tmp\FindProcDLL.dll

MD5 b4faf654de4284a89eaf7d073e4e1e63
SHA1 8efcfd1ca648e942cbffd27af429784b7fcf514b
SHA256 c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3
SHA512 eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388

memory/3492-68-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsxB1EC.tmp\nsisFirewall.dll

MD5 f5bf81a102de52a4add21b8a367e54e0
SHA1 cf1e76ffe4a3ecd4dad453112afd33624f16751c
SHA256 53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2
SHA512 6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

C:\Users\Admin\AppData\Local\Temp\nsxB1EC.tmp\INetC.dll

MD5 640bff73a5f8e37b202d911e4749b2e9
SHA1 9588dd7561ab7de3bca392b084bec91f3521c879
SHA256 c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502
SHA512 39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

memory/3492-101-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-100-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-104-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-105-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-107-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-108-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-109-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-111-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-112-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-113-0x0000000003860000-0x0000000003862000-memory.dmp

memory/3492-115-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-118-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-126-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-127-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-129-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-128-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-132-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

memory/3492-133-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

C:\jkehu.pif

MD5 119c4dd6a29bcc6cd20a755d763f3971
SHA1 6d0e186b29ff0d5cb09da04e852556af5afc4e46
SHA256 c2f61814043eb744d2192557e0e543f275731073309c699d6df07632d76a3940
SHA512 797782156b7da9eb7a144bdf70c1abb092c21c3d94a2cc8c39be867a9a9e0e1077ecfd879eede4f5e903939c9e4e6f571e36117198746cf069cf21483571a5de

memory/3492-162-0x0000000000400000-0x0000000000471000-memory.dmp