Malware Analysis Report

2024-12-07 04:26

Sample ID 241113-v56beszkbm
Target b836b9253a69becec7a0992ee75e72d490e4c7fe3c978a2f3238d172e6778cb2.exe
SHA256 b836b9253a69becec7a0992ee75e72d490e4c7fe3c978a2f3238d172e6778cb2
Tags
sality backdoor discovery evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b836b9253a69becec7a0992ee75e72d490e4c7fe3c978a2f3238d172e6778cb2

Threat Level: Known bad

The file b836b9253a69becec7a0992ee75e72d490e4c7fe3c978a2f3238d172e6778cb2.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor discovery evasion trojan upx

UAC bypass

Sality family

Modifies firewall policy service

Sality

Windows security bypass

Executes dropped EXE

Loads dropped DLL

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

UPX packed file

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 17:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 17:35

Reported

2024-11-13 17:37

Platform

win7-20240903-en

Max time kernel

33s

Max time network

17s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f769b65 C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
File created C:\Windows\f764b43 C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3004 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2632 wrote to memory of 2728 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764ac6.exe
PID 2632 wrote to memory of 2728 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764ac6.exe
PID 2632 wrote to memory of 2728 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764ac6.exe
PID 2632 wrote to memory of 2728 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764ac6.exe
PID 2728 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe C:\Windows\system32\taskhost.exe
PID 2728 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe C:\Windows\system32\Dwm.exe
PID 2728 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe C:\Windows\Explorer.EXE
PID 2728 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe C:\Windows\system32\DllHost.exe
PID 2728 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe C:\Windows\system32\rundll32.exe
PID 2728 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe C:\Windows\SysWOW64\rundll32.exe
PID 2728 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe C:\Windows\SysWOW64\rundll32.exe
PID 2632 wrote to memory of 2768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764c7b.exe
PID 2632 wrote to memory of 2768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764c7b.exe
PID 2632 wrote to memory of 2768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764c7b.exe
PID 2632 wrote to memory of 2768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764c7b.exe
PID 2632 wrote to memory of 1812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76677a.exe
PID 2632 wrote to memory of 1812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76677a.exe
PID 2632 wrote to memory of 1812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76677a.exe
PID 2632 wrote to memory of 1812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76677a.exe
PID 2728 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe C:\Windows\system32\taskhost.exe
PID 2728 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe C:\Windows\system32\Dwm.exe
PID 2728 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe C:\Windows\Explorer.EXE
PID 2728 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe C:\Windows\system32\DllHost.exe
PID 2728 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe C:\Users\Admin\AppData\Local\Temp\f764c7b.exe
PID 2728 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe C:\Users\Admin\AppData\Local\Temp\f764c7b.exe
PID 2728 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe C:\Users\Admin\AppData\Local\Temp\f76677a.exe
PID 2728 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\f764ac6.exe C:\Users\Admin\AppData\Local\Temp\f76677a.exe
PID 2768 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe C:\Windows\system32\taskhost.exe
PID 2768 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe C:\Windows\system32\Dwm.exe
PID 2768 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe C:\Windows\Explorer.EXE
PID 2768 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\f764c7b.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764ac6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764c7b.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b836b9253a69becec7a0992ee75e72d490e4c7fe3c978a2f3238d172e6778cb2.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b836b9253a69becec7a0992ee75e72d490e4c7fe3c978a2f3238d172e6778cb2.dll,#1

C:\Users\Admin\AppData\Local\Temp\f764ac6.exe

C:\Users\Admin\AppData\Local\Temp\f764ac6.exe

C:\Users\Admin\AppData\Local\Temp\f764c7b.exe

C:\Users\Admin\AppData\Local\Temp\f764c7b.exe

C:\Users\Admin\AppData\Local\Temp\f76677a.exe

C:\Users\Admin\AppData\Local\Temp\f76677a.exe

Network

N/A

Files

memory/2632-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f764ac6.exe

MD5 89d5b031b2b1b401ebcdc3da1ddb62e7
SHA1 0bc8c57e96a240918bac201759cfd366843cec6c
SHA256 9e216be8e972cc2f483494fcd58460c5ef60036d8af53a3a00dda17c6c83ac3f
SHA512 fb9ab954a2178d50be978f8666e30240cc0bddb2bd1bbc869284f3d490d1e181fc19f3e618f78e191b6f6e81b332d0413a2b0a58e1d3e2f69009675aab5deb06

memory/2632-5-0x00000000000F0000-0x0000000000102000-memory.dmp

memory/2632-7-0x00000000000F0000-0x0000000000102000-memory.dmp

memory/2728-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2728-17-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2728-19-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2728-14-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2728-20-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2728-18-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2728-22-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2728-50-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2632-60-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/2632-59-0x0000000000230000-0x0000000000242000-memory.dmp

memory/2728-58-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2632-57-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/2728-48-0x0000000000520000-0x0000000000521000-memory.dmp

memory/2632-47-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2632-34-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2632-33-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/1128-25-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/2728-21-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2728-16-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2728-15-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2728-23-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2728-62-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2728-64-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2728-63-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2728-66-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2728-65-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2728-68-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2728-69-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2632-73-0x0000000000360000-0x0000000000372000-memory.dmp

memory/1812-84-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2728-85-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2728-74-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2632-82-0x00000000000F0000-0x00000000000F2000-memory.dmp

memory/2728-87-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2728-89-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/1812-104-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1812-103-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2768-98-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2768-107-0x0000000000220000-0x0000000000222000-memory.dmp

memory/1812-106-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2768-105-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2768-130-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2728-151-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2728-152-0x0000000000630000-0x00000000016EA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 f553212a17de5efa43d137d1099b4a36
SHA1 32aded185746e937ead852a5df822ea243c62c41
SHA256 4d1adbc55ac48612bfd8c4195850fd5218898b9cc717b51b819fd10619109b2c
SHA512 3a2a3de9c7c1077842e64bfb08c8712413b6b9e65b9a8414f31d7830904881e5cb6677a97121f77efcf79ddfa7f08db0b5dd33fcaf76fde6f00959a07bc1dac7

memory/2768-189-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2768-188-0x00000000009C0000-0x0000000001A7A000-memory.dmp

memory/2768-185-0x00000000009C0000-0x0000000001A7A000-memory.dmp

memory/1812-193-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 17:35

Reported

2024-11-13 17:37

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

95s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57fb19 C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A
File created C:\Windows\e5791b1 C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
File created C:\Windows\e57e251 C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e57acca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4548 wrote to memory of 3256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4548 wrote to memory of 3256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4548 wrote to memory of 3256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3256 wrote to memory of 2896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e579153.exe
PID 3256 wrote to memory of 2896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e579153.exe
PID 3256 wrote to memory of 2896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e579153.exe
PID 2896 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\system32\fontdrvhost.exe
PID 2896 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\system32\fontdrvhost.exe
PID 2896 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\system32\dwm.exe
PID 2896 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\system32\sihost.exe
PID 2896 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\system32\svchost.exe
PID 2896 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\system32\taskhostw.exe
PID 2896 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\Explorer.EXE
PID 2896 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\system32\svchost.exe
PID 2896 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\system32\DllHost.exe
PID 2896 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2896 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\System32\RuntimeBroker.exe
PID 2896 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2896 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\System32\RuntimeBroker.exe
PID 2896 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2896 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\System32\RuntimeBroker.exe
PID 2896 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\System32\RuntimeBroker.exe
PID 2896 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\System32\RuntimeBroker.exe
PID 2896 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2896 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\system32\rundll32.exe
PID 2896 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\SysWOW64\rundll32.exe
PID 3256 wrote to memory of 4384 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5793d4.exe
PID 3256 wrote to memory of 4384 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5793d4.exe
PID 3256 wrote to memory of 4384 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5793d4.exe
PID 3256 wrote to memory of 3820 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57acab.exe
PID 3256 wrote to memory of 3820 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57acab.exe
PID 3256 wrote to memory of 3820 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57acab.exe
PID 3256 wrote to memory of 1028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57acca.exe
PID 3256 wrote to memory of 1028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57acca.exe
PID 3256 wrote to memory of 1028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57acca.exe
PID 2896 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\system32\fontdrvhost.exe
PID 2896 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\system32\fontdrvhost.exe
PID 2896 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\system32\dwm.exe
PID 2896 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\system32\sihost.exe
PID 2896 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\system32\svchost.exe
PID 2896 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\system32\taskhostw.exe
PID 2896 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\Explorer.EXE
PID 2896 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\system32\svchost.exe
PID 2896 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\system32\DllHost.exe
PID 2896 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2896 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\System32\RuntimeBroker.exe
PID 2896 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2896 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\System32\RuntimeBroker.exe
PID 2896 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2896 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\System32\RuntimeBroker.exe
PID 2896 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\System32\RuntimeBroker.exe
PID 2896 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Windows\System32\RuntimeBroker.exe
PID 2896 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Users\Admin\AppData\Local\Temp\e5793d4.exe
PID 2896 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Users\Admin\AppData\Local\Temp\e5793d4.exe
PID 2896 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Users\Admin\AppData\Local\Temp\e57acab.exe
PID 2896 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Users\Admin\AppData\Local\Temp\e57acab.exe
PID 2896 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Users\Admin\AppData\Local\Temp\e57acca.exe
PID 2896 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\e579153.exe C:\Users\Admin\AppData\Local\Temp\e57acca.exe
PID 4384 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e5793d4.exe C:\Windows\system32\fontdrvhost.exe
PID 4384 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e5793d4.exe C:\Windows\system32\fontdrvhost.exe
PID 4384 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e5793d4.exe C:\Windows\system32\dwm.exe
PID 4384 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\e5793d4.exe C:\Windows\system32\sihost.exe
PID 4384 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\e5793d4.exe C:\Windows\system32\svchost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e579153.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5793d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57acab.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b836b9253a69becec7a0992ee75e72d490e4c7fe3c978a2f3238d172e6778cb2.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b836b9253a69becec7a0992ee75e72d490e4c7fe3c978a2f3238d172e6778cb2.dll,#1

C:\Users\Admin\AppData\Local\Temp\e579153.exe

C:\Users\Admin\AppData\Local\Temp\e579153.exe

C:\Users\Admin\AppData\Local\Temp\e5793d4.exe

C:\Users\Admin\AppData\Local\Temp\e5793d4.exe

C:\Users\Admin\AppData\Local\Temp\e57acab.exe

C:\Users\Admin\AppData\Local\Temp\e57acab.exe

C:\Users\Admin\AppData\Local\Temp\e57acca.exe

C:\Users\Admin\AppData\Local\Temp\e57acca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/3256-0-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2896-4-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e579153.exe

MD5 89d5b031b2b1b401ebcdc3da1ddb62e7
SHA1 0bc8c57e96a240918bac201759cfd366843cec6c
SHA256 9e216be8e972cc2f483494fcd58460c5ef60036d8af53a3a00dda17c6c83ac3f
SHA512 fb9ab954a2178d50be978f8666e30240cc0bddb2bd1bbc869284f3d490d1e181fc19f3e618f78e191b6f6e81b332d0413a2b0a58e1d3e2f69009675aab5deb06

memory/2896-6-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-11-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-10-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-18-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-12-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-19-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-21-0x0000000000760000-0x000000000181A000-memory.dmp

memory/3256-23-0x0000000000FA0000-0x0000000000FA2000-memory.dmp

memory/4384-36-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2896-35-0x0000000001BF0000-0x0000000001BF2000-memory.dmp

memory/2896-32-0x0000000001BF0000-0x0000000001BF2000-memory.dmp

memory/3256-31-0x0000000004240000-0x0000000004241000-memory.dmp

memory/3256-30-0x0000000000FA0000-0x0000000000FA2000-memory.dmp

memory/2896-22-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-28-0x0000000004370000-0x0000000004371000-memory.dmp

memory/3256-24-0x0000000000FA0000-0x0000000000FA2000-memory.dmp

memory/2896-8-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-20-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-9-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-37-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-38-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-39-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-40-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-41-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-43-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-44-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1028-56-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2896-57-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-59-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-60-0x0000000001BF0000-0x0000000001BF2000-memory.dmp

memory/2896-61-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-63-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-64-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1028-76-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3820-75-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1028-74-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3820-73-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4384-72-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3820-69-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1028-71-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4384-67-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4384-66-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2896-80-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-81-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-84-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-85-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-88-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4384-90-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2896-91-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-94-0x0000000000760000-0x000000000181A000-memory.dmp

memory/3820-95-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1028-96-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2896-98-0x0000000000760000-0x000000000181A000-memory.dmp

memory/2896-104-0x0000000001BF0000-0x0000000001BF2000-memory.dmp

memory/2896-115-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 5143ed1324ca8af96d49323ee4946f74
SHA1 4c5cc48407338c9b7ecf56d16ed4154e118733a1
SHA256 34f07ea0838e3576c18266262952bfa8d627873bd39bd2deaae0a982186d60e3
SHA512 3c7c83f7dcf4dbf4fb2986cd9e47b1cff54a51f29ba8b1f7827f6e45c11dd9fd6f5be90c388458dbf9deb40bdc1a2814d53ec319075852e2236629c147c2a2a9

memory/4384-127-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/4384-142-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4384-141-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/3820-165-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1028-169-0x0000000000400000-0x0000000000412000-memory.dmp