Malware Analysis Report

2024-09-11 12:55

Sample ID 240610-sfxlwazgra
Target 982d4b0f323c39c9b46cf1fa7c444da7815428257e5619490cb8c37a76b1c8f2
SHA256 982d4b0f323c39c9b46cf1fa7c444da7815428257e5619490cb8c37a76b1c8f2
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

982d4b0f323c39c9b46cf1fa7c444da7815428257e5619490cb8c37a76b1c8f2

Threat Level: Known bad

The file 982d4b0f323c39c9b46cf1fa7c444da7815428257e5619490cb8c37a76b1c8f2 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

Windows security bypass

Modifies firewall policy service

UAC bypass

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Loads dropped DLL

UPX packed file

Executes dropped EXE

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-10 15:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 15:04

Reported

2024-06-10 15:07

Platform

win7-20240508-en

Max time kernel

122s

Max time network

122s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76122a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f7610f2 C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
File created C:\Windows\f766142 C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1088 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1088 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1088 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1088 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1088 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1088 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1088 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2072 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761084.exe
PID 2232 wrote to memory of 2072 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761084.exe
PID 2232 wrote to memory of 2072 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761084.exe
PID 2232 wrote to memory of 2072 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761084.exe
PID 2072 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe C:\Windows\system32\taskhost.exe
PID 2072 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe C:\Windows\system32\Dwm.exe
PID 2072 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe C:\Windows\Explorer.EXE
PID 2072 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe C:\Windows\system32\DllHost.exe
PID 2072 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe C:\Windows\system32\rundll32.exe
PID 2072 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe C:\Windows\SysWOW64\rundll32.exe
PID 2072 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76122a.exe
PID 2232 wrote to memory of 2568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76122a.exe
PID 2232 wrote to memory of 2568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76122a.exe
PID 2232 wrote to memory of 2568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76122a.exe
PID 2232 wrote to memory of 2500 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762c10.exe
PID 2232 wrote to memory of 2500 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762c10.exe
PID 2232 wrote to memory of 2500 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762c10.exe
PID 2232 wrote to memory of 2500 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762c10.exe
PID 2072 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe C:\Windows\system32\taskhost.exe
PID 2072 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe C:\Windows\system32\Dwm.exe
PID 2072 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe C:\Windows\Explorer.EXE
PID 2072 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe C:\Users\Admin\AppData\Local\Temp\f76122a.exe
PID 2072 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe C:\Users\Admin\AppData\Local\Temp\f76122a.exe
PID 2072 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe C:\Users\Admin\AppData\Local\Temp\f762c10.exe
PID 2072 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\f761084.exe C:\Users\Admin\AppData\Local\Temp\f762c10.exe
PID 2500 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe C:\Windows\system32\taskhost.exe
PID 2500 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe C:\Windows\system32\Dwm.exe
PID 2500 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f762c10.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761084.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762c10.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\982d4b0f323c39c9b46cf1fa7c444da7815428257e5619490cb8c37a76b1c8f2.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\982d4b0f323c39c9b46cf1fa7c444da7815428257e5619490cb8c37a76b1c8f2.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761084.exe

C:\Users\Admin\AppData\Local\Temp\f761084.exe

C:\Users\Admin\AppData\Local\Temp\f76122a.exe

C:\Users\Admin\AppData\Local\Temp\f76122a.exe

C:\Users\Admin\AppData\Local\Temp\f762c10.exe

C:\Users\Admin\AppData\Local\Temp\f762c10.exe

Network

N/A

Files

memory/2232-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f761084.exe

MD5 b0d1c41f3dcefe5bc7050aaced2e01d4
SHA1 486e63b0ffd8bae1a2ad8af9ce3211b937428f58
SHA256 8eaeb4e01ad4bf5b94d02f483a479f786e340bb93ee12b97a691112c38e417b0
SHA512 08a25f30fb55d627b28f15d206b7d6f2aeee71e9dc1af09dbb8a6fd314c5ec2fe7dcb116f0d894cf69eb17e0a83f439abe2a8d696d645fcea3f1271aefc355a4

memory/2232-9-0x0000000000150000-0x0000000000162000-memory.dmp

memory/2232-8-0x0000000000150000-0x0000000000162000-memory.dmp

memory/2072-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2072-13-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2072-16-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2072-18-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2072-17-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2232-38-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2232-39-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1108-29-0x0000000001F10000-0x0000000001F12000-memory.dmp

memory/2072-22-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2072-20-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2072-15-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2072-19-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2072-21-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2072-49-0x00000000004A0000-0x00000000004A1000-memory.dmp

memory/2072-50-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2072-23-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2568-63-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2232-48-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2232-61-0x00000000003B0000-0x00000000003C2000-memory.dmp

memory/2232-60-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2232-59-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2072-54-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2072-64-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2072-65-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2072-66-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2072-68-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2072-67-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2072-70-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2072-71-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2232-83-0x0000000000150000-0x0000000000152000-memory.dmp

memory/2500-84-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2232-80-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2072-85-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2072-87-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2072-89-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2072-90-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2568-101-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2568-100-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2568-109-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2500-111-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2500-110-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2072-130-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2072-161-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2072-160-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2568-165-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 877c7c355929ff906ad91a42747930fb
SHA1 8e97dd472cd44ea0e15217d7b277bd189fb00cbc
SHA256 7de50a3fc16b0a44997a5c432035a69c06ecff921b8a17ad7f4b3cbe31ad7677
SHA512 460e82260633350a12e65dc87c65203b217a13e74b47eaacdd9472664bbdc5788402c39e24a6a29631020cc2ca8d532decae928b1ac5ac70f82348dfb4f4ba77

memory/2500-178-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2500-216-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2500-215-0x0000000000910000-0x00000000019CA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 15:04

Reported

2024-06-10 15:07

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5743c0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e574277 C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
File created C:\Windows\e57b70b C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3656 wrote to memory of 3648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3656 wrote to memory of 3648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3656 wrote to memory of 3648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3648 wrote to memory of 2532 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57421a.exe
PID 3648 wrote to memory of 2532 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57421a.exe
PID 3648 wrote to memory of 2532 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57421a.exe
PID 2532 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\system32\fontdrvhost.exe
PID 2532 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\system32\fontdrvhost.exe
PID 2532 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\system32\dwm.exe
PID 2532 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\system32\sihost.exe
PID 2532 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\system32\svchost.exe
PID 2532 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\system32\taskhostw.exe
PID 2532 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\Explorer.EXE
PID 2532 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\system32\svchost.exe
PID 2532 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\system32\DllHost.exe
PID 2532 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2532 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\System32\RuntimeBroker.exe
PID 2532 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2532 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\System32\RuntimeBroker.exe
PID 2532 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\System32\RuntimeBroker.exe
PID 2532 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2532 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\system32\rundll32.exe
PID 2532 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\SysWOW64\rundll32.exe
PID 2532 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\SysWOW64\rundll32.exe
PID 3648 wrote to memory of 1900 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5743c0.exe
PID 3648 wrote to memory of 1900 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5743c0.exe
PID 3648 wrote to memory of 1900 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5743c0.exe
PID 3648 wrote to memory of 1048 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57689d.exe
PID 3648 wrote to memory of 1048 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57689d.exe
PID 3648 wrote to memory of 1048 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57689d.exe
PID 2532 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\system32\fontdrvhost.exe
PID 2532 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\system32\fontdrvhost.exe
PID 2532 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\system32\dwm.exe
PID 2532 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\system32\sihost.exe
PID 2532 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\system32\svchost.exe
PID 2532 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\system32\taskhostw.exe
PID 2532 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\Explorer.EXE
PID 2532 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\system32\svchost.exe
PID 2532 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\system32\DllHost.exe
PID 2532 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2532 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\System32\RuntimeBroker.exe
PID 2532 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2532 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\System32\RuntimeBroker.exe
PID 2532 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\System32\RuntimeBroker.exe
PID 2532 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2532 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Users\Admin\AppData\Local\Temp\e5743c0.exe
PID 2532 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Users\Admin\AppData\Local\Temp\e5743c0.exe
PID 2532 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Users\Admin\AppData\Local\Temp\e57689d.exe
PID 2532 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\e57421a.exe C:\Users\Admin\AppData\Local\Temp\e57689d.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57421a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57689d.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\982d4b0f323c39c9b46cf1fa7c444da7815428257e5619490cb8c37a76b1c8f2.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\982d4b0f323c39c9b46cf1fa7c444da7815428257e5619490cb8c37a76b1c8f2.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57421a.exe

C:\Users\Admin\AppData\Local\Temp\e57421a.exe

C:\Users\Admin\AppData\Local\Temp\e5743c0.exe

C:\Users\Admin\AppData\Local\Temp\e5743c0.exe

C:\Users\Admin\AppData\Local\Temp\e57689d.exe

C:\Users\Admin\AppData\Local\Temp\e57689d.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/3648-2-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2532-5-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57421a.exe

MD5 b0d1c41f3dcefe5bc7050aaced2e01d4
SHA1 486e63b0ffd8bae1a2ad8af9ce3211b937428f58
SHA256 8eaeb4e01ad4bf5b94d02f483a479f786e340bb93ee12b97a691112c38e417b0
SHA512 08a25f30fb55d627b28f15d206b7d6f2aeee71e9dc1af09dbb8a6fd314c5ec2fe7dcb116f0d894cf69eb17e0a83f439abe2a8d696d645fcea3f1271aefc355a4

memory/2532-6-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-20-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-11-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-30-0x0000000000670000-0x0000000000672000-memory.dmp

memory/2532-28-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-29-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1900-35-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2532-19-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-32-0x0000000000670000-0x0000000000672000-memory.dmp

memory/3648-31-0x0000000004770000-0x0000000004772000-memory.dmp

memory/2532-18-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-12-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-8-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/3648-25-0x0000000004770000-0x0000000004772000-memory.dmp

memory/2532-24-0x0000000000680000-0x0000000000681000-memory.dmp

memory/3648-22-0x0000000004800000-0x0000000004801000-memory.dmp

memory/3648-21-0x0000000004770000-0x0000000004772000-memory.dmp

memory/2532-10-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-9-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-36-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-37-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-38-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-39-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-40-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1048-48-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1048-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1900-56-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1048-55-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1900-54-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1048-53-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1900-51-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2532-58-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-59-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-60-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-62-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-63-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-65-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-66-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-69-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-71-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-79-0x0000000000670000-0x0000000000672000-memory.dmp

memory/2532-74-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/2532-92-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1900-97-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1900-98-0x0000000000B30000-0x0000000001BEA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 e3fa82f6c65f8e66a6dd4318569f7c16
SHA1 788f23325cfee69528795b5bafa6aa65bc9b7ec9
SHA256 7d41a977a2e01f4916a5eb6e9c6ccadca941ddae725ef8550e188165ceeefa44
SHA512 06f054dae6f2234cb391d59fb41b2053e9fbe78f56b61152ee5bc8d43d3acf07fff198d1de45bb3fdec719ecbfbfa86c540ea52437bd6489ffa2837c31479aaf

memory/1048-109-0x0000000000B50000-0x0000000001C0A000-memory.dmp

memory/1048-111-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1900-112-0x0000000000B30000-0x0000000001BEA000-memory.dmp