Malware Analysis Report

2024-09-11 12:55

Sample ID 240610-w16xtswelr
Target e12e7baac69422bbf5fcf59e4281fce3887b962fe67dd292edcb17bf922d1844
SHA256 e12e7baac69422bbf5fcf59e4281fce3887b962fe67dd292edcb17bf922d1844
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e12e7baac69422bbf5fcf59e4281fce3887b962fe67dd292edcb17bf922d1844

Threat Level: Known bad

The file e12e7baac69422bbf5fcf59e4281fce3887b962fe67dd292edcb17bf922d1844 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Modifies firewall policy service

Sality

Windows security bypass

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Executes dropped EXE

UPX packed file

Windows security modification

Loads dropped DLL

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-10 18:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 18:24

Reported

2024-06-10 18:26

Platform

win7-20240508-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7620d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
File created C:\Windows\f767214 C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
File created C:\Windows\f761fa1 C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 2396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3008 wrote to memory of 2396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3008 wrote to memory of 2396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3008 wrote to memory of 2396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3008 wrote to memory of 2396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3008 wrote to memory of 2396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3008 wrote to memory of 2396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2396 wrote to memory of 2856 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761f53.exe
PID 2396 wrote to memory of 2856 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761f53.exe
PID 2396 wrote to memory of 2856 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761f53.exe
PID 2396 wrote to memory of 2856 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761f53.exe
PID 2856 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe C:\Windows\system32\Dwm.exe
PID 2856 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe C:\Windows\system32\taskhost.exe
PID 2856 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe C:\Windows\Explorer.EXE
PID 2856 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe C:\Windows\system32\DllHost.exe
PID 2856 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe C:\Windows\system32\rundll32.exe
PID 2856 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe C:\Windows\SysWOW64\rundll32.exe
PID 2856 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe C:\Windows\SysWOW64\rundll32.exe
PID 2396 wrote to memory of 2480 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7620d9.exe
PID 2396 wrote to memory of 2480 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7620d9.exe
PID 2396 wrote to memory of 2480 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7620d9.exe
PID 2396 wrote to memory of 2480 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7620d9.exe
PID 2396 wrote to memory of 2728 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763aee.exe
PID 2396 wrote to memory of 2728 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763aee.exe
PID 2396 wrote to memory of 2728 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763aee.exe
PID 2396 wrote to memory of 2728 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763aee.exe
PID 2856 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe C:\Windows\system32\Dwm.exe
PID 2856 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe C:\Windows\system32\taskhost.exe
PID 2856 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe C:\Windows\Explorer.EXE
PID 2856 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe C:\Users\Admin\AppData\Local\Temp\f7620d9.exe
PID 2856 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe C:\Users\Admin\AppData\Local\Temp\f7620d9.exe
PID 2856 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe C:\Users\Admin\AppData\Local\Temp\f763aee.exe
PID 2856 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\f761f53.exe C:\Users\Admin\AppData\Local\Temp\f763aee.exe
PID 2728 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe C:\Windows\system32\Dwm.exe
PID 2728 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe C:\Windows\system32\taskhost.exe
PID 2728 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\f763aee.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761f53.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763aee.exe N/A

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e12e7baac69422bbf5fcf59e4281fce3887b962fe67dd292edcb17bf922d1844.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e12e7baac69422bbf5fcf59e4281fce3887b962fe67dd292edcb17bf922d1844.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761f53.exe

C:\Users\Admin\AppData\Local\Temp\f761f53.exe

C:\Users\Admin\AppData\Local\Temp\f7620d9.exe

C:\Users\Admin\AppData\Local\Temp\f7620d9.exe

C:\Users\Admin\AppData\Local\Temp\f763aee.exe

C:\Users\Admin\AppData\Local\Temp\f763aee.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\f761f53.exe

MD5 93c247dcb65e1f909c4298e7de67e31c
SHA1 0be4942dd9e70b8b555c4ef4c2330ccae68b6175
SHA256 3a9e494246a3b4792e61ff35a23905c2de9a8f7d5c4087037b991a2c66a8d274
SHA512 f7ae47c05e3ded36f630d5346189964aa39a0b4fac51ba911ba01eb9aab89c864413aff5e35faa25b56898c47b77e1e61edab69da9af17067ae20b796b594b85

memory/2396-9-0x0000000000100000-0x0000000000112000-memory.dmp

memory/2856-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2396-8-0x0000000000100000-0x0000000000112000-memory.dmp

memory/2396-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2856-15-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2856-23-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2856-14-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2856-17-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2856-18-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2856-16-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2856-22-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2396-50-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2856-52-0x0000000000560000-0x0000000000562000-memory.dmp

memory/2856-49-0x0000000002F50000-0x0000000002F51000-memory.dmp

memory/2856-21-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2480-64-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2396-63-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2396-62-0x0000000000210000-0x0000000000222000-memory.dmp

memory/2856-61-0x0000000000560000-0x0000000000562000-memory.dmp

memory/2396-40-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2396-39-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/1056-29-0x0000000000130000-0x0000000000132000-memory.dmp

memory/2856-19-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2396-59-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2856-20-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2856-66-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2856-65-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2856-67-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2856-68-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2856-69-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2856-71-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2856-72-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2728-85-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2396-83-0x0000000000100000-0x0000000000102000-memory.dmp

memory/2396-80-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2856-86-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2856-88-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2856-90-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2480-101-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2480-100-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2728-112-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2728-111-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2480-110-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2856-117-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2856-157-0x0000000000670000-0x000000000172A000-memory.dmp

memory/2856-158-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2480-162-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 441741243118a40e8d179fee59fd08cd
SHA1 7bf984f97c1985bbdd979c07a7ac74d5970f41eb
SHA256 9824434ebaab8ef4c046e44d21a09c3cb8bf4c759a594724d664164ff56c97ed
SHA512 af91840dc129e100974bc222658e14de8a88e9c95b1b9474159e9e56c7c9f3177d0e90d8edd579c6618b25baaf3728602b970c4d09d8e9dc9d63847df6f7c455

memory/2728-176-0x0000000000930000-0x00000000019EA000-memory.dmp

memory/2728-210-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2728-211-0x0000000000930000-0x00000000019EA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 18:24

Reported

2024-06-10 18:26

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574edb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e574e01 C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
File created C:\Windows\e57b7f6 C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4176 wrote to memory of 220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4176 wrote to memory of 220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4176 wrote to memory of 220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 220 wrote to memory of 4252 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574dc2.exe
PID 220 wrote to memory of 4252 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574dc2.exe
PID 220 wrote to memory of 4252 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574dc2.exe
PID 4252 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\system32\fontdrvhost.exe
PID 4252 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\system32\fontdrvhost.exe
PID 4252 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\system32\dwm.exe
PID 4252 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\system32\sihost.exe
PID 4252 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\system32\svchost.exe
PID 4252 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\system32\taskhostw.exe
PID 4252 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\Explorer.EXE
PID 4252 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\system32\svchost.exe
PID 4252 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\system32\DllHost.exe
PID 4252 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4252 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\System32\RuntimeBroker.exe
PID 4252 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4252 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\System32\RuntimeBroker.exe
PID 4252 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\System32\RuntimeBroker.exe
PID 4252 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4252 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4252 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\system32\rundll32.exe
PID 4252 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\SysWOW64\rundll32.exe
PID 4252 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\SysWOW64\rundll32.exe
PID 220 wrote to memory of 3624 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574edb.exe
PID 220 wrote to memory of 3624 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574edb.exe
PID 220 wrote to memory of 3624 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574edb.exe
PID 220 wrote to memory of 1416 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576987.exe
PID 220 wrote to memory of 1416 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576987.exe
PID 220 wrote to memory of 1416 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576987.exe
PID 4252 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\system32\fontdrvhost.exe
PID 4252 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\system32\fontdrvhost.exe
PID 4252 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\system32\dwm.exe
PID 4252 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\system32\sihost.exe
PID 4252 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\system32\svchost.exe
PID 4252 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\system32\taskhostw.exe
PID 4252 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\Explorer.EXE
PID 4252 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\system32\svchost.exe
PID 4252 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\system32\DllHost.exe
PID 4252 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4252 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\System32\RuntimeBroker.exe
PID 4252 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4252 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\System32\RuntimeBroker.exe
PID 4252 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\System32\RuntimeBroker.exe
PID 4252 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4252 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Users\Admin\AppData\Local\Temp\e574edb.exe
PID 4252 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Users\Admin\AppData\Local\Temp\e574edb.exe
PID 4252 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\System32\RuntimeBroker.exe
PID 4252 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Windows\System32\RuntimeBroker.exe
PID 4252 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Users\Admin\AppData\Local\Temp\e576987.exe
PID 4252 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\e574dc2.exe C:\Users\Admin\AppData\Local\Temp\e576987.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574dc2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576987.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e12e7baac69422bbf5fcf59e4281fce3887b962fe67dd292edcb17bf922d1844.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e12e7baac69422bbf5fcf59e4281fce3887b962fe67dd292edcb17bf922d1844.dll,#1

C:\Users\Admin\AppData\Local\Temp\e574dc2.exe

C:\Users\Admin\AppData\Local\Temp\e574dc2.exe

C:\Users\Admin\AppData\Local\Temp\e574edb.exe

C:\Users\Admin\AppData\Local\Temp\e574edb.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e576987.exe

C:\Users\Admin\AppData\Local\Temp\e576987.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/220-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e574dc2.exe

MD5 93c247dcb65e1f909c4298e7de67e31c
SHA1 0be4942dd9e70b8b555c4ef4c2330ccae68b6175
SHA256 3a9e494246a3b4792e61ff35a23905c2de9a8f7d5c4087037b991a2c66a8d274
SHA512 f7ae47c05e3ded36f630d5346189964aa39a0b4fac51ba911ba01eb9aab89c864413aff5e35faa25b56898c47b77e1e61edab69da9af17067ae20b796b594b85

memory/4252-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/220-18-0x0000000000E80000-0x0000000000E82000-memory.dmp

memory/4252-8-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-6-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-11-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-17-0x0000000001C00000-0x0000000001C01000-memory.dmp

memory/220-14-0x0000000000E80000-0x0000000000E82000-memory.dmp

memory/4252-29-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-12-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/3624-33-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4252-32-0x0000000001BF0000-0x0000000001BF2000-memory.dmp

memory/4252-28-0x0000000001BF0000-0x0000000001BF2000-memory.dmp

memory/220-27-0x0000000000E80000-0x0000000000E82000-memory.dmp

memory/220-26-0x0000000003950000-0x0000000003951000-memory.dmp

memory/4252-13-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-10-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-34-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-30-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-36-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-37-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-38-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-39-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-40-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-41-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-43-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-44-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-52-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-54-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-56-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1416-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1416-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3624-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3624-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3624-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4252-65-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-67-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-70-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-73-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-74-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-77-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-76-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-79-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-80-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-81-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-88-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-99-0x0000000001BF0000-0x0000000001BF2000-memory.dmp

memory/4252-91-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4252-107-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3624-111-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 f2ee66dacfc7a6c2967936919260e233
SHA1 3933d9d18f04f38e88b6a372680cca07cd5ba7f8
SHA256 abf138b84987045dce19dae6942921d7ba6cbdb64dae7760fefb82c47f4aa2d0
SHA512 f02f1d1f28452e69f5a6f30d1573d2ebc1e7dc324394be6f55f0f03505189475ce933e75d89ad801b6da187b587335cba280aa19b43416ecf860db10a0c95bbe

memory/1416-136-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/1416-135-0x0000000000400000-0x0000000000412000-memory.dmp