Malware Analysis Report

2024-11-15 10:28

Sample ID 241110-b7kmyswlgv
Target 7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N
SHA256 7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06
Tags
sality backdoor discovery evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06

Threat Level: Known bad

The file 7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N was found to be: Known bad.

Malicious Activity Summary

sality backdoor discovery evasion trojan upx

UAC bypass

Sality

Sality family

Modifies firewall policy service

Windows security bypass

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

UPX packed file

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:47

Reported

2024-11-10 01:49

Platform

win7-20241010-en

Max time kernel

119s

Max time network

62s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f779aaa C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\taskhost.exe
PID 2116 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\Dwm.exe
PID 2116 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\Explorer.EXE
PID 2116 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\DllHost.exe
PID 2116 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\taskhost.exe
PID 2116 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\Dwm.exe
PID 2116 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\Explorer.EXE
PID 2116 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\DllHost.exe
PID 2116 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\taskhost.exe
PID 2116 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\Dwm.exe
PID 2116 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\Explorer.EXE
PID 2116 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\DllHost.exe
PID 2116 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\taskhost.exe
PID 2116 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\Dwm.exe
PID 2116 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\Explorer.EXE
PID 2116 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\DllHost.exe
PID 2116 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\taskhost.exe
PID 2116 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\Dwm.exe
PID 2116 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\Explorer.EXE
PID 2116 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\DllHost.exe
PID 2116 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\taskhost.exe
PID 2116 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\Dwm.exe
PID 2116 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\Explorer.EXE
PID 2116 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\DllHost.exe
PID 2116 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\taskhost.exe
PID 2116 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\Dwm.exe
PID 2116 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\Explorer.EXE
PID 2116 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\DllHost.exe
PID 2116 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\taskhost.exe
PID 2116 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\Dwm.exe
PID 2116 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\Explorer.EXE
PID 2116 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\DllHost.exe
PID 2116 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\taskhost.exe
PID 2116 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\Dwm.exe
PID 2116 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\Explorer.EXE
PID 2116 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\DllHost.exe
PID 2116 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\taskhost.exe
PID 2116 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\Dwm.exe
PID 2116 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\Explorer.EXE
PID 2116 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\DllHost.exe
PID 2116 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\taskhost.exe
PID 2116 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\Dwm.exe
PID 2116 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\Explorer.EXE
PID 2116 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\DllHost.exe
PID 2116 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\taskhost.exe
PID 2116 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\Dwm.exe
PID 2116 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\Explorer.EXE
PID 2116 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe

"C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe"

Network

N/A

Files

memory/2116-0-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2116-1-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-9-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-3-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-7-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-12-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-11-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-10-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-4-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-6-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-29-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2116-31-0x0000000000600000-0x0000000000602000-memory.dmp

memory/2116-8-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-5-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-26-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2116-25-0x0000000000600000-0x0000000000602000-memory.dmp

memory/1112-18-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2116-33-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-32-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-34-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-35-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-36-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-38-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-39-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-40-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-41-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-44-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-45-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-52-0x0000000000600000-0x0000000000602000-memory.dmp

memory/2116-53-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-54-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-57-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-58-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-60-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-63-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-64-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-65-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-67-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-68-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-71-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-73-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2116-74-0x0000000000980000-0x0000000001A3A000-memory.dmp

C:\acyg.pif

MD5 2cb72e1f94bb268fad32c84bc61f2bbf
SHA1 92818c3ca3954f41519acd6c6d986dee8c9c0071
SHA256 141700f7fc0b0f9b642701ad35fef84cb4070e2e8d4bd4cb41f8d0d68128fbec
SHA512 e0f41a4f1b06abb50af4b3727a00067bd051cd634c5be59f26165723fdb3934e37130d18a64d89b6033df8c3401a9dae2f004b88616fd3fc6bd3cd0270d34553

memory/2116-138-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:47

Reported

2024-11-10 01:49

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

95s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e579990 C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4932 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\fontdrvhost.exe
PID 4932 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\fontdrvhost.exe
PID 4932 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\dwm.exe
PID 4932 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\sihost.exe
PID 4932 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\svchost.exe
PID 4932 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\taskhostw.exe
PID 4932 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\Explorer.EXE
PID 4932 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\svchost.exe
PID 4932 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\DllHost.exe
PID 4932 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4932 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\System32\RuntimeBroker.exe
PID 4932 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4932 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\System32\RuntimeBroker.exe
PID 4932 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4932 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\System32\RuntimeBroker.exe
PID 4932 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4932 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\fontdrvhost.exe
PID 4932 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\fontdrvhost.exe
PID 4932 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\dwm.exe
PID 4932 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\sihost.exe
PID 4932 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\svchost.exe
PID 4932 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\taskhostw.exe
PID 4932 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\Explorer.EXE
PID 4932 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\svchost.exe
PID 4932 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\DllHost.exe
PID 4932 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4932 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\System32\RuntimeBroker.exe
PID 4932 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4932 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\System32\RuntimeBroker.exe
PID 4932 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4932 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\System32\RuntimeBroker.exe
PID 4932 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\System32\RuntimeBroker.exe
PID 4932 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\System32\RuntimeBroker.exe
PID 4932 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\fontdrvhost.exe
PID 4932 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\fontdrvhost.exe
PID 4932 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\dwm.exe
PID 4932 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\sihost.exe
PID 4932 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\svchost.exe
PID 4932 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\taskhostw.exe
PID 4932 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\Explorer.EXE
PID 4932 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\svchost.exe
PID 4932 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\DllHost.exe
PID 4932 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4932 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\System32\RuntimeBroker.exe
PID 4932 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4932 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\System32\RuntimeBroker.exe
PID 4932 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4932 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\System32\RuntimeBroker.exe
PID 4932 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\System32\RuntimeBroker.exe
PID 4932 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\System32\RuntimeBroker.exe
PID 4932 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\fontdrvhost.exe
PID 4932 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\fontdrvhost.exe
PID 4932 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\dwm.exe
PID 4932 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\sihost.exe
PID 4932 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\svchost.exe
PID 4932 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\taskhostw.exe
PID 4932 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\Explorer.EXE
PID 4932 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\svchost.exe
PID 4932 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\system32\DllHost.exe
PID 4932 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4932 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\System32\RuntimeBroker.exe
PID 4932 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4932 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\System32\RuntimeBroker.exe
PID 4932 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe

"C:\Users\Admin\AppData\Local\Temp\7d77b25d42e35c2fe127778837d9f271babb3d76126e5e05134356ba65af8b06N.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4932-0-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4932-3-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-1-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-4-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-14-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-8-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-16-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-20-0x0000000001C80000-0x0000000001C82000-memory.dmp

memory/4932-19-0x0000000001C80000-0x0000000001C82000-memory.dmp

memory/4932-15-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-18-0x0000000001C90000-0x0000000001C91000-memory.dmp

memory/4932-17-0x0000000001C80000-0x0000000001C82000-memory.dmp

memory/4932-6-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-5-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-7-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-21-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-22-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-23-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-24-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-25-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-27-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-28-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-29-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-31-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-32-0x0000000001C80000-0x0000000001C82000-memory.dmp

memory/4932-34-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-35-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-36-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-39-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-43-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-44-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-45-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-47-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-49-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-56-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-57-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-59-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-61-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-63-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-64-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-65-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-67-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-68-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-72-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-73-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4932-77-0x0000000000800000-0x00000000018BA000-memory.dmp

F:\gnyij.pif

MD5 a308c7ba601a39470ee5768e31677a08
SHA1 7591f18c79dfb1744a8732882d66853a297fc54a
SHA256 2e7585047d1651e0a33d634b953ab40e044623469de0796e77ccd0cc888b485e
SHA512 065115b9a3c51038f665be4ff526440815a89ab8f575162650fa6f3347bbdb9b653d8897d80af7c21160344554e4858bcb4ce6e4fe253fc3a3958b8c6db7b958

memory/4932-86-0x0000000000400000-0x0000000000412000-memory.dmp