Malware Analysis Report

2025-06-16 06:59

Sample ID 241104-epfg3aslh1
Target beb3391c0514db02c2ae92f2e3a30801dbcf50e8456488ffb863a48a6e931cadN
SHA256 beb3391c0514db02c2ae92f2e3a30801dbcf50e8456488ffb863a48a6e931cad
Tags
sality backdoor discovery evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

beb3391c0514db02c2ae92f2e3a30801dbcf50e8456488ffb863a48a6e931cad

Threat Level: Known bad

The file beb3391c0514db02c2ae92f2e3a30801dbcf50e8456488ffb863a48a6e931cadN was found to be: Known bad.

Malicious Activity Summary

sality backdoor discovery evasion trojan upx

Modifies firewall policy service

Windows security bypass

Sality family

Sality

UAC bypass

Loads dropped DLL

Executes dropped EXE

Windows security modification

Checks whether UAC is enabled

Enumerates connected drives

UPX packed file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 04:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 04:06

Reported

2024-11-04 04:09

Platform

win10v2004-20241007-en

Max time kernel

37s

Max time network

121s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
File created C:\Windows\e5823bf C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A
File created C:\Windows\e57b882 C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e57ba67.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2920 wrote to memory of 4288 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2920 wrote to memory of 4288 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2920 wrote to memory of 4288 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4288 wrote to memory of 4988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57b805.exe
PID 4288 wrote to memory of 4988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57b805.exe
PID 4288 wrote to memory of 4988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57b805.exe
PID 4988 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\fontdrvhost.exe
PID 4988 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\fontdrvhost.exe
PID 4988 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\dwm.exe
PID 4988 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\sihost.exe
PID 4988 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\svchost.exe
PID 4988 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\taskhostw.exe
PID 4988 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\Explorer.EXE
PID 4988 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\svchost.exe
PID 4988 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\DllHost.exe
PID 4988 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4988 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\System32\RuntimeBroker.exe
PID 4988 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4988 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\System32\RuntimeBroker.exe
PID 4988 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4988 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\System32\RuntimeBroker.exe
PID 4988 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4988 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4988 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\rundll32.exe
PID 4988 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\SysWOW64\rundll32.exe
PID 4988 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\SysWOW64\rundll32.exe
PID 4288 wrote to memory of 4428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57ba67.exe
PID 4288 wrote to memory of 4428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57ba67.exe
PID 4288 wrote to memory of 4428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57ba67.exe
PID 4988 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\fontdrvhost.exe
PID 4988 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\fontdrvhost.exe
PID 4988 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\dwm.exe
PID 4988 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\sihost.exe
PID 4988 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\svchost.exe
PID 4988 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\taskhostw.exe
PID 4988 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\Explorer.EXE
PID 4988 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\svchost.exe
PID 4988 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\DllHost.exe
PID 4988 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4988 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\System32\RuntimeBroker.exe
PID 4988 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4988 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\System32\RuntimeBroker.exe
PID 4988 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4988 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\System32\RuntimeBroker.exe
PID 4988 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4988 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4988 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Windows\system32\rundll32.exe
PID 4988 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Users\Admin\AppData\Local\Temp\e57ba67.exe
PID 4988 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\e57b805.exe C:\Users\Admin\AppData\Local\Temp\e57ba67.exe
PID 4288 wrote to memory of 4192 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fc52.exe
PID 4288 wrote to memory of 4192 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fc52.exe
PID 4288 wrote to memory of 4192 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fc52.exe
PID 4192 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e57fc52.exe C:\Windows\system32\fontdrvhost.exe
PID 4192 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e57fc52.exe C:\Windows\system32\fontdrvhost.exe
PID 4192 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e57fc52.exe C:\Windows\system32\dwm.exe
PID 4192 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\e57fc52.exe C:\Windows\system32\sihost.exe
PID 4192 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e57fc52.exe C:\Windows\system32\svchost.exe
PID 4192 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\e57fc52.exe C:\Windows\system32\taskhostw.exe
PID 4192 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\e57fc52.exe C:\Windows\Explorer.EXE
PID 4192 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\e57fc52.exe C:\Windows\system32\svchost.exe
PID 4192 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\e57fc52.exe C:\Windows\system32\DllHost.exe
PID 4192 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\e57fc52.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4192 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\e57fc52.exe C:\Windows\System32\RuntimeBroker.exe
PID 4192 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\e57fc52.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57b805.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57fc52.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\beb3391c0514db02c2ae92f2e3a30801dbcf50e8456488ffb863a48a6e931cadN.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\beb3391c0514db02c2ae92f2e3a30801dbcf50e8456488ffb863a48a6e931cadN.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57b805.exe

C:\Users\Admin\AppData\Local\Temp\e57b805.exe

C:\Users\Admin\AppData\Local\Temp\e57ba67.exe

C:\Users\Admin\AppData\Local\Temp\e57ba67.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e57fc52.exe

C:\Users\Admin\AppData\Local\Temp\e57fc52.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4288-0-0x0000000010000000-0x0000000010020000-memory.dmp

memory/4988-4-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57b805.exe

MD5 6ec3ad7c80f41a0bc24906b38812c51c
SHA1 3e8efa0470415f5095e46f1d7f4024281f9a89d2
SHA256 9c360222b1f4c29b787f79f68d3d512eeff8035535825ed9390f5048dbf0e950
SHA512 3f291b37034c3e69d3e341017744b38db9e78483aceba251e118563aeabb227fc4ba7b6be5ecf7d5f4a5ddeddfb2e4e8a0bef486ee03a7d240051fd5d4fa570a

memory/4988-6-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4988-10-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4988-8-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4988-13-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4428-32-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4988-31-0x0000000000620000-0x0000000000622000-memory.dmp

memory/4988-21-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4988-28-0x0000000000620000-0x0000000000622000-memory.dmp

memory/4288-26-0x0000000004010000-0x0000000004012000-memory.dmp

memory/4988-23-0x0000000000630000-0x0000000000631000-memory.dmp

memory/4288-27-0x0000000004010000-0x0000000004012000-memory.dmp

memory/4288-20-0x0000000004560000-0x0000000004561000-memory.dmp

memory/4288-19-0x0000000004010000-0x0000000004012000-memory.dmp

memory/4988-34-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4988-33-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4988-11-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4988-35-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4988-18-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4988-9-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4988-36-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4988-37-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4428-41-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4988-38-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4428-40-0x0000000000530000-0x0000000000531000-memory.dmp

memory/4428-42-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4988-43-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4988-44-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4988-46-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4988-47-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4192-52-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4988-56-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4988-58-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4988-59-0x0000000000620000-0x0000000000622000-memory.dmp

memory/4988-62-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4988-79-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4428-83-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4192-86-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4192-92-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4192-90-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4192-103-0x00000000004C0000-0x00000000004C2000-memory.dmp

memory/4192-98-0x00000000004C0000-0x00000000004C2000-memory.dmp

memory/4192-95-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/4192-87-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4192-91-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4192-84-0x00000000007C0000-0x000000000187A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 bfd94f005f3bdd67677e7a79ae35bec0
SHA1 1bad4405f744d518d25b1d9002a3ea78afd8e906
SHA256 01f85f68cb117207cd171a8f354cc0ed77034d8eb1fc63bcb20c569e3cddec6e
SHA512 5c22e7e727bfb1968d729c16604d35c8434bfe2ca44438787ce35acb87031e9580849e54a98d969664fa37ce1ec661a74f260a530762506fea27735b57c0ca75

memory/4192-133-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4192-132-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 04:06

Reported

2024-11-04 04:09

Platform

win7-20240903-en

Max time kernel

118s

Max time network

122s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f76e2f0 C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
File created C:\Windows\f773498 C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
File created C:\Windows\f773bf7 C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 2284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2656 wrote to memory of 2284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2656 wrote to memory of 2284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2656 wrote to memory of 2284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2656 wrote to memory of 2284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2656 wrote to memory of 2284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2656 wrote to memory of 2284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2284 wrote to memory of 2756 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76e273.exe
PID 2284 wrote to memory of 2756 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76e273.exe
PID 2284 wrote to memory of 2756 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76e273.exe
PID 2284 wrote to memory of 2756 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76e273.exe
PID 2756 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe C:\Windows\system32\taskhost.exe
PID 2756 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe C:\Windows\system32\Dwm.exe
PID 2756 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe C:\Windows\system32\DllHost.exe
PID 2756 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe C:\Windows\system32\rundll32.exe
PID 2756 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe C:\Windows\SysWOW64\rundll32.exe
PID 2756 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe C:\Windows\SysWOW64\rundll32.exe
PID 2284 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76e476.exe
PID 2284 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76e476.exe
PID 2284 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76e476.exe
PID 2284 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76e476.exe
PID 2284 wrote to memory of 2876 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe
PID 2284 wrote to memory of 2876 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe
PID 2284 wrote to memory of 2876 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe
PID 2284 wrote to memory of 2876 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe
PID 2756 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe C:\Windows\system32\taskhost.exe
PID 2756 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe C:\Windows\system32\Dwm.exe
PID 2756 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe C:\Windows\system32\DllHost.exe
PID 2756 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe C:\Users\Admin\AppData\Local\Temp\f76e476.exe
PID 2756 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe C:\Users\Admin\AppData\Local\Temp\f76e476.exe
PID 2756 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe
PID 2756 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\f76e273.exe C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe
PID 2596 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe C:\Windows\system32\taskhost.exe
PID 2596 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe C:\Windows\system32\Dwm.exe
PID 2596 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe C:\Windows\Explorer.EXE
PID 2596 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f76e476.exe C:\Windows\system32\DllHost.exe
PID 2876 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe C:\Windows\system32\taskhost.exe
PID 2876 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe C:\Windows\system32\Dwm.exe
PID 2876 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe C:\Windows\Explorer.EXE
PID 2876 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76e273.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76e476.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\beb3391c0514db02c2ae92f2e3a30801dbcf50e8456488ffb863a48a6e931cadN.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\beb3391c0514db02c2ae92f2e3a30801dbcf50e8456488ffb863a48a6e931cadN.dll,#1

C:\Users\Admin\AppData\Local\Temp\f76e273.exe

C:\Users\Admin\AppData\Local\Temp\f76e273.exe

C:\Users\Admin\AppData\Local\Temp\f76e476.exe

C:\Users\Admin\AppData\Local\Temp\f76e476.exe

C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe

C:\Users\Admin\AppData\Local\Temp\f76fdc0.exe

Network

N/A

Files

memory/2284-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2284-0-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2284-3-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2284-2-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f76e273.exe

MD5 6ec3ad7c80f41a0bc24906b38812c51c
SHA1 3e8efa0470415f5095e46f1d7f4024281f9a89d2
SHA256 9c360222b1f4c29b787f79f68d3d512eeff8035535825ed9390f5048dbf0e950
SHA512 3f291b37034c3e69d3e341017744b38db9e78483aceba251e118563aeabb227fc4ba7b6be5ecf7d5f4a5ddeddfb2e4e8a0bef486ee03a7d240051fd5d4fa570a

memory/2756-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2284-12-0x0000000000140000-0x0000000000152000-memory.dmp

memory/2756-20-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2756-17-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2756-14-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2756-16-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2756-23-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2756-24-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2596-53-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2284-52-0x0000000000180000-0x0000000000182000-memory.dmp

memory/2284-51-0x00000000001A0000-0x00000000001B2000-memory.dmp

memory/2284-49-0x0000000000180000-0x0000000000182000-memory.dmp

memory/2756-22-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2756-21-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2756-19-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2284-41-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2756-60-0x0000000000290000-0x0000000000292000-memory.dmp

memory/2756-59-0x0000000000290000-0x0000000000292000-memory.dmp

memory/2756-18-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2756-40-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2284-32-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2284-31-0x0000000000180000-0x0000000000182000-memory.dmp

memory/1088-25-0x0000000001F10000-0x0000000001F12000-memory.dmp

memory/2756-62-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2756-61-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2756-63-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2756-64-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2756-65-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2756-81-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2876-80-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2284-79-0x0000000000140000-0x0000000000142000-memory.dmp

memory/2756-83-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2756-82-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2756-86-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2756-94-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2756-96-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2876-106-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2596-110-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2876-109-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2596-100-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2756-148-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2756-147-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2596-156-0x0000000000910000-0x00000000019CA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 3008f3a15911d9dde5e4cfb16c76f6dd
SHA1 a439c6e7bcbc6173e19ee9da8a33a62c5a631818
SHA256 596d2da5cd4f32fbf65b1097c4372b511f84d14ad31bd650fd1b55ecaa6d80b6
SHA512 a4f6a401516031a4ae0f20fc1abf06e511f0d507b3a3715c63b6feaa57ca4d4179d35c4fd79a5f0e604b2f384e05e4979cb449575636a28940c64fb5eca93f99

memory/2596-157-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2596-192-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2596-191-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2876-236-0x0000000000400000-0x0000000000412000-memory.dmp