Malware Analysis Report

2024-11-16 13:17

Sample ID 240518-1bcd5sha55
Target 524e94735a951a9e778b45132075f073d344c732e4c8502973060c8c32ce6115
SHA256 524e94735a951a9e778b45132075f073d344c732e4c8502973060c8c32ce6115
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

524e94735a951a9e778b45132075f073d344c732e4c8502973060c8c32ce6115

Threat Level: Known bad

The file 524e94735a951a9e778b45132075f073d344c732e4c8502973060c8c32ce6115 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

Windows security bypass

Sality

UAC bypass

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

Loads dropped DLL

Windows security modification

Executes dropped EXE

UPX packed file

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 21:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 21:28

Reported

2024-05-18 21:30

Platform

win7-20240221-en

Max time kernel

27s

Max time network

122s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f762a1c C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
File created C:\Windows\f767a10 C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 1752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 1752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 1752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 1752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 1752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 1752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 1752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 2420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7629af.exe
PID 1752 wrote to memory of 2420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7629af.exe
PID 1752 wrote to memory of 2420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7629af.exe
PID 1752 wrote to memory of 2420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7629af.exe
PID 2420 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe C:\Windows\system32\taskhost.exe
PID 2420 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe C:\Windows\system32\Dwm.exe
PID 2420 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe C:\Windows\system32\DllHost.exe
PID 2420 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe C:\Windows\system32\rundll32.exe
PID 2420 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe C:\Windows\SysWOW64\rundll32.exe
PID 2420 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 2232 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762be1.exe
PID 1752 wrote to memory of 2232 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762be1.exe
PID 1752 wrote to memory of 2232 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762be1.exe
PID 1752 wrote to memory of 2232 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762be1.exe
PID 1752 wrote to memory of 2696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764569.exe
PID 1752 wrote to memory of 2696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764569.exe
PID 1752 wrote to memory of 2696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764569.exe
PID 1752 wrote to memory of 2696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764569.exe
PID 2420 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe C:\Windows\system32\taskhost.exe
PID 2420 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe C:\Windows\system32\Dwm.exe
PID 2420 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe C:\Users\Admin\AppData\Local\Temp\f762be1.exe
PID 2420 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe C:\Users\Admin\AppData\Local\Temp\f762be1.exe
PID 2420 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe C:\Users\Admin\AppData\Local\Temp\f764569.exe
PID 2420 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\f7629af.exe C:\Users\Admin\AppData\Local\Temp\f764569.exe
PID 2696 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe C:\Windows\system32\taskhost.exe
PID 2696 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe C:\Windows\system32\Dwm.exe
PID 2696 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f764569.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7629af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764569.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\524e94735a951a9e778b45132075f073d344c732e4c8502973060c8c32ce6115.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\524e94735a951a9e778b45132075f073d344c732e4c8502973060c8c32ce6115.dll,#1

C:\Users\Admin\AppData\Local\Temp\f7629af.exe

C:\Users\Admin\AppData\Local\Temp\f7629af.exe

C:\Users\Admin\AppData\Local\Temp\f762be1.exe

C:\Users\Admin\AppData\Local\Temp\f762be1.exe

C:\Users\Admin\AppData\Local\Temp\f764569.exe

C:\Users\Admin\AppData\Local\Temp\f764569.exe

Network

N/A

Files

memory/1752-3-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1752-2-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1752-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1752-0-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f7629af.exe

MD5 aa951a8c02c8153ab05902165b878006
SHA1 691dae5ec1572a70698ab3d9690fec2a03d65d81
SHA256 8ddc10542a0283e0d8e121bee10db6e780585283b349ffe724676e2a28369cb8
SHA512 7c300ce8bd5472681717a3c7140c5f629e768a102c4685b10210950becacad5eb03feb769d5138819ec6814c48427c8d68a89a4b50c196edc662991425f83a22

memory/1752-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1752-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2420-14-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2420-17-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2420-18-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2420-21-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2420-24-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1752-34-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2420-44-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2232-57-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1752-56-0x0000000000160000-0x0000000000162000-memory.dmp

memory/1752-55-0x0000000000260000-0x0000000000272000-memory.dmp

memory/2420-53-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/1752-52-0x0000000000160000-0x0000000000162000-memory.dmp

memory/1752-43-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1752-33-0x0000000000160000-0x0000000000162000-memory.dmp

memory/1112-26-0x0000000001ED0000-0x0000000001ED2000-memory.dmp

memory/2420-25-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2420-23-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2420-22-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2420-20-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2420-19-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2420-15-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2420-63-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2420-64-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2420-65-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2420-66-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2420-67-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2420-69-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2420-70-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2696-83-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1752-81-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2420-84-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2420-86-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2420-88-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2232-104-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2696-105-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2696-107-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2232-106-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2696-103-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2232-97-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2420-108-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2420-126-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/2420-150-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2420-149-0x0000000000980000-0x0000000001A3A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 528cf456e7b9d6b80485f51a2bb1e707
SHA1 ced162d61d17ad41f4a4faed8b87c953653cd1db
SHA256 944f6c6d0e363491514117a3ec61de6705693bf345bef67844cff72322027fdd
SHA512 91a918dc115bb6d32bffe3615e7ad94826e30b9ba7eeefb621fcbad6faad67b1ea8f5850dc75adc90b8f70e50f0608c25e5de1a44471b4abf017eed1e3f39b1b

memory/2232-171-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2696-170-0x0000000000900000-0x00000000019BA000-memory.dmp

memory/2696-205-0x0000000000900000-0x00000000019BA000-memory.dmp

memory/2696-204-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 21:28

Reported

2024-05-18 21:30

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
File created C:\Windows\e57abff C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A
File created C:\Windows\e575004 C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2888 wrote to memory of 3332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2888 wrote to memory of 3332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2888 wrote to memory of 3332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3332 wrote to memory of 4332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574f58.exe
PID 3332 wrote to memory of 4332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574f58.exe
PID 3332 wrote to memory of 4332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574f58.exe
PID 4332 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\fontdrvhost.exe
PID 4332 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\fontdrvhost.exe
PID 4332 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\dwm.exe
PID 4332 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\sihost.exe
PID 4332 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\svchost.exe
PID 4332 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\taskhostw.exe
PID 4332 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\Explorer.EXE
PID 4332 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\svchost.exe
PID 4332 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\DllHost.exe
PID 4332 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4332 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\System32\RuntimeBroker.exe
PID 4332 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4332 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\System32\RuntimeBroker.exe
PID 4332 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\System32\RuntimeBroker.exe
PID 4332 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4332 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4332 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4332 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\rundll32.exe
PID 4332 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\SysWOW64\rundll32.exe
PID 4332 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\SysWOW64\rundll32.exe
PID 3332 wrote to memory of 3568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57516c.exe
PID 3332 wrote to memory of 3568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57516c.exe
PID 3332 wrote to memory of 3568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57516c.exe
PID 4332 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\fontdrvhost.exe
PID 4332 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\fontdrvhost.exe
PID 4332 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\dwm.exe
PID 4332 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\sihost.exe
PID 4332 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\svchost.exe
PID 4332 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\taskhostw.exe
PID 4332 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\Explorer.EXE
PID 4332 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\svchost.exe
PID 4332 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\DllHost.exe
PID 4332 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4332 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\System32\RuntimeBroker.exe
PID 4332 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4332 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\System32\RuntimeBroker.exe
PID 4332 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\System32\RuntimeBroker.exe
PID 4332 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4332 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4332 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4332 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\rundll32.exe
PID 4332 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Users\Admin\AppData\Local\Temp\e57516c.exe
PID 4332 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Users\Admin\AppData\Local\Temp\e57516c.exe
PID 4332 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\e574f58.exe C:\Windows\system32\BackgroundTaskHost.exe
PID 3332 wrote to memory of 1472 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e578472.exe
PID 3332 wrote to memory of 1472 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e578472.exe
PID 3332 wrote to memory of 1472 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e578472.exe
PID 1472 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e578472.exe C:\Windows\system32\fontdrvhost.exe
PID 1472 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e578472.exe C:\Windows\system32\fontdrvhost.exe
PID 1472 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e578472.exe C:\Windows\system32\dwm.exe
PID 1472 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\e578472.exe C:\Windows\system32\sihost.exe
PID 1472 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e578472.exe C:\Windows\system32\svchost.exe
PID 1472 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\e578472.exe C:\Windows\system32\taskhostw.exe
PID 1472 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\e578472.exe C:\Windows\Explorer.EXE
PID 1472 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\e578472.exe C:\Windows\system32\svchost.exe
PID 1472 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\e578472.exe C:\Windows\system32\DllHost.exe
PID 1472 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\e578472.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1472 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\e578472.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574f58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e578472.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\524e94735a951a9e778b45132075f073d344c732e4c8502973060c8c32ce6115.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\524e94735a951a9e778b45132075f073d344c732e4c8502973060c8c32ce6115.dll,#1

C:\Users\Admin\AppData\Local\Temp\e574f58.exe

C:\Users\Admin\AppData\Local\Temp\e574f58.exe

C:\Users\Admin\AppData\Local\Temp\e57516c.exe

C:\Users\Admin\AppData\Local\Temp\e57516c.exe

C:\Windows\system32\BackgroundTaskHost.exe

"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

C:\Users\Admin\AppData\Local\Temp\e578472.exe

C:\Users\Admin\AppData\Local\Temp\e578472.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 224.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 112.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/3332-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/4332-4-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e574f58.exe

MD5 aa951a8c02c8153ab05902165b878006
SHA1 691dae5ec1572a70698ab3d9690fec2a03d65d81
SHA256 8ddc10542a0283e0d8e121bee10db6e780585283b349ffe724676e2a28369cb8
SHA512 7c300ce8bd5472681717a3c7140c5f629e768a102c4685b10210950becacad5eb03feb769d5138819ec6814c48427c8d68a89a4b50c196edc662991425f83a22

memory/4332-6-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4332-9-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3332-18-0x0000000003EF0000-0x0000000003EF2000-memory.dmp

memory/4332-28-0x0000000003660000-0x0000000003662000-memory.dmp

memory/4332-17-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4332-11-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4332-26-0x0000000003660000-0x0000000003662000-memory.dmp

memory/3332-19-0x0000000003F80000-0x0000000003F81000-memory.dmp

memory/4332-10-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3332-24-0x0000000003EF0000-0x0000000003EF2000-memory.dmp

memory/3332-22-0x0000000003EF0000-0x0000000003EF2000-memory.dmp

memory/4332-21-0x0000000003E70000-0x0000000003E71000-memory.dmp

memory/4332-8-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4332-27-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4332-31-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4332-32-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4332-33-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4332-35-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4332-34-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4332-36-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4332-37-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4332-38-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3568-41-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3568-42-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3568-43-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3332-47-0x0000000003EF0000-0x0000000003EF2000-memory.dmp

memory/1472-52-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4332-45-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4332-53-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4332-54-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4332-56-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4332-57-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4332-59-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4332-60-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4332-63-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4332-74-0x0000000003660000-0x0000000003662000-memory.dmp

memory/4332-82-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3568-86-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 529d20c87e88b6d4258fdc572c723293
SHA1 c1f3d79e06d0996089901149aef77488aa8c452c
SHA256 b3933c296d9ed28d1687a08376159bc1268afb824b37c02ead5f121506787ffe
SHA512 582731b3218d02dbf387f29cb64ebce73f3feda8378c2b90ddf2b4d281ec712823287721be482e2fceb7e3c9e21808289e91105da622c7af5eaaa5e5f8769fae

memory/1472-87-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/1472-89-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/1472-100-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/1472-108-0x0000000001B00000-0x0000000001B01000-memory.dmp

memory/1472-107-0x0000000001AF0000-0x0000000001AF2000-memory.dmp

memory/1472-90-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/1472-140-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/1472-139-0x0000000000400000-0x0000000000412000-memory.dmp