Malware Analysis Report

2024-09-11 12:56

Sample ID 240610-x2g6jaxgjl
Target 1c3ef1c0df68a0d9cc535ff2c19875117362c052ba8116082a4fdb6ee5ff4f5e
SHA256 1c3ef1c0df68a0d9cc535ff2c19875117362c052ba8116082a4fdb6ee5ff4f5e
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1c3ef1c0df68a0d9cc535ff2c19875117362c052ba8116082a4fdb6ee5ff4f5e

Threat Level: Known bad

The file 1c3ef1c0df68a0d9cc535ff2c19875117362c052ba8116082a4fdb6ee5ff4f5e was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Windows security bypass

Sality

Modifies firewall policy service

UAC bypass

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Executes dropped EXE

Windows security modification

Loads dropped DLL

UPX packed file

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-10 19:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 19:20

Reported

2024-06-10 19:23

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7616ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f7615d2 C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
File created C:\Windows\f7665c5 C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 492 wrote to memory of 2096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 492 wrote to memory of 2096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 492 wrote to memory of 2096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 492 wrote to memory of 2096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 492 wrote to memory of 2096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 492 wrote to memory of 2096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 492 wrote to memory of 2096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2096 wrote to memory of 1532 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761564.exe
PID 2096 wrote to memory of 1532 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761564.exe
PID 2096 wrote to memory of 1532 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761564.exe
PID 2096 wrote to memory of 1532 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761564.exe
PID 1532 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe C:\Windows\system32\taskhost.exe
PID 1532 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe C:\Windows\system32\Dwm.exe
PID 1532 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe C:\Windows\Explorer.EXE
PID 1532 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe C:\Windows\system32\DllHost.exe
PID 1532 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe C:\Windows\system32\rundll32.exe
PID 1532 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe C:\Windows\SysWOW64\rundll32.exe
PID 1532 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe C:\Windows\SysWOW64\rundll32.exe
PID 2096 wrote to memory of 2852 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7616ea.exe
PID 2096 wrote to memory of 2852 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7616ea.exe
PID 2096 wrote to memory of 2852 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7616ea.exe
PID 2096 wrote to memory of 2852 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7616ea.exe
PID 2096 wrote to memory of 2972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76312e.exe
PID 2096 wrote to memory of 2972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76312e.exe
PID 2096 wrote to memory of 2972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76312e.exe
PID 2096 wrote to memory of 2972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76312e.exe
PID 1532 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe C:\Windows\system32\taskhost.exe
PID 1532 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe C:\Windows\system32\Dwm.exe
PID 1532 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe C:\Windows\Explorer.EXE
PID 1532 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe C:\Users\Admin\AppData\Local\Temp\f7616ea.exe
PID 1532 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe C:\Users\Admin\AppData\Local\Temp\f7616ea.exe
PID 1532 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe C:\Users\Admin\AppData\Local\Temp\f76312e.exe
PID 1532 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\f761564.exe C:\Users\Admin\AppData\Local\Temp\f76312e.exe
PID 2972 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe C:\Windows\system32\taskhost.exe
PID 2972 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe C:\Windows\system32\Dwm.exe
PID 2972 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f76312e.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761564.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76312e.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c3ef1c0df68a0d9cc535ff2c19875117362c052ba8116082a4fdb6ee5ff4f5e.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c3ef1c0df68a0d9cc535ff2c19875117362c052ba8116082a4fdb6ee5ff4f5e.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761564.exe

C:\Users\Admin\AppData\Local\Temp\f761564.exe

C:\Users\Admin\AppData\Local\Temp\f7616ea.exe

C:\Users\Admin\AppData\Local\Temp\f7616ea.exe

C:\Users\Admin\AppData\Local\Temp\f76312e.exe

C:\Users\Admin\AppData\Local\Temp\f76312e.exe

Network

N/A

Files

memory/2096-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f761564.exe

MD5 d13cbc185be2e6401eb88d2a7ece801a
SHA1 c6151b5012256a95620427b9b1ed6c8a16afcee4
SHA256 d9354276c50d796c773da0fa88d8e469cd13ba0786300f9eda93c0f5c7c7b111
SHA512 f90f039e9a565785f95a7fa4d60a1bc49926f9727e90d3ed95f3d272419c8f8f7471faea9d76474b59e9b6b484b74e6ac7472fe7b450ee15aaf4ef9e3bbb5bea

memory/1532-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2096-10-0x0000000000170000-0x0000000000182000-memory.dmp

memory/2096-9-0x0000000000170000-0x0000000000182000-memory.dmp

memory/1532-16-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1532-14-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1532-12-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1532-19-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1532-17-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1532-20-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1532-15-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1532-21-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2096-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1532-49-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2852-61-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2096-60-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2096-59-0x0000000000210000-0x0000000000222000-memory.dmp

memory/2096-52-0x0000000000210000-0x0000000000222000-memory.dmp

memory/1532-47-0x00000000004A0000-0x00000000004A1000-memory.dmp

memory/2096-46-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2096-37-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2096-36-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1112-28-0x00000000003A0000-0x00000000003A2000-memory.dmp

memory/1532-18-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1532-22-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1532-62-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1532-63-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1532-64-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1532-65-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1532-66-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1532-68-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1532-69-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2972-82-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2096-80-0x0000000000170000-0x0000000000172000-memory.dmp

memory/2096-77-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1532-83-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1532-86-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1532-87-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2972-104-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2972-103-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2852-105-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2972-106-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2852-99-0x0000000000370000-0x0000000000371000-memory.dmp

memory/1532-107-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2852-98-0x0000000000360000-0x0000000000362000-memory.dmp

memory/1532-121-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/1532-150-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1532-149-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2852-154-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 54a82969bb68a26da5cb1feb1c2f4d17
SHA1 85795f5b5c3e246e46c939ad0842f4e984080b4f
SHA256 35277388623176d9a0db1dd8e887865d0dc876e6274ccc58a369c28a282a5e44
SHA512 495410e8075f6470cb1c6228b5e25594dd7e525271d32f9c90b9bacc1e6d44107b3ca969ab36ea43a1f571e16e050cc1a77ae61a51f329bfd8ecd4e5a42de907

memory/2972-170-0x00000000009B0000-0x0000000001A6A000-memory.dmp

memory/2972-205-0x00000000009B0000-0x0000000001A6A000-memory.dmp

memory/2972-204-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 19:20

Reported

2024-06-10 19:23

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574b03.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e574a67 C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
File created C:\Windows\e57b40e C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 232 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 232 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 232 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2908 wrote to memory of 1588 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5749da.exe
PID 2908 wrote to memory of 1588 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5749da.exe
PID 2908 wrote to memory of 1588 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5749da.exe
PID 1588 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\system32\fontdrvhost.exe
PID 1588 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\system32\fontdrvhost.exe
PID 1588 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\system32\dwm.exe
PID 1588 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\system32\sihost.exe
PID 1588 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\system32\svchost.exe
PID 1588 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\system32\taskhostw.exe
PID 1588 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\Explorer.EXE
PID 1588 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\system32\svchost.exe
PID 1588 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\system32\DllHost.exe
PID 1588 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1588 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\System32\RuntimeBroker.exe
PID 1588 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1588 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1588 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\System32\RuntimeBroker.exe
PID 1588 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\System32\RuntimeBroker.exe
PID 1588 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1588 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\system32\rundll32.exe
PID 1588 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\SysWOW64\rundll32.exe
PID 1588 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\SysWOW64\rundll32.exe
PID 2908 wrote to memory of 2096 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574b03.exe
PID 2908 wrote to memory of 2096 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574b03.exe
PID 2908 wrote to memory of 2096 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574b03.exe
PID 2908 wrote to memory of 5088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57659f.exe
PID 2908 wrote to memory of 5088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57659f.exe
PID 2908 wrote to memory of 5088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57659f.exe
PID 1588 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\system32\fontdrvhost.exe
PID 1588 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\system32\fontdrvhost.exe
PID 1588 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\system32\dwm.exe
PID 1588 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\system32\sihost.exe
PID 1588 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\system32\svchost.exe
PID 1588 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\system32\taskhostw.exe
PID 1588 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\Explorer.EXE
PID 1588 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\system32\svchost.exe
PID 1588 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\system32\DllHost.exe
PID 1588 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1588 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\System32\RuntimeBroker.exe
PID 1588 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1588 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1588 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\System32\RuntimeBroker.exe
PID 1588 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\System32\RuntimeBroker.exe
PID 1588 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Users\Admin\AppData\Local\Temp\e574b03.exe
PID 1588 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Users\Admin\AppData\Local\Temp\e574b03.exe
PID 1588 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Windows\System32\RuntimeBroker.exe
PID 1588 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Users\Admin\AppData\Local\Temp\e57659f.exe
PID 1588 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\e5749da.exe C:\Users\Admin\AppData\Local\Temp\e57659f.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5749da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57659f.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c3ef1c0df68a0d9cc535ff2c19875117362c052ba8116082a4fdb6ee5ff4f5e.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c3ef1c0df68a0d9cc535ff2c19875117362c052ba8116082a4fdb6ee5ff4f5e.dll,#1

C:\Users\Admin\AppData\Local\Temp\e5749da.exe

C:\Users\Admin\AppData\Local\Temp\e5749da.exe

C:\Users\Admin\AppData\Local\Temp\e574b03.exe

C:\Users\Admin\AppData\Local\Temp\e574b03.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e57659f.exe

C:\Users\Admin\AppData\Local\Temp\e57659f.exe

Network

Files

memory/2908-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5749da.exe

MD5 d13cbc185be2e6401eb88d2a7ece801a
SHA1 c6151b5012256a95620427b9b1ed6c8a16afcee4
SHA256 d9354276c50d796c773da0fa88d8e469cd13ba0786300f9eda93c0f5c7c7b111
SHA512 f90f039e9a565785f95a7fa4d60a1bc49926f9727e90d3ed95f3d272419c8f8f7471faea9d76474b59e9b6b484b74e6ac7472fe7b450ee15aaf4ef9e3bbb5bea

memory/1588-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1588-6-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-8-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2908-27-0x0000000004390000-0x0000000004391000-memory.dmp

memory/1588-9-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2908-13-0x0000000004300000-0x0000000004302000-memory.dmp

memory/1588-25-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-12-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-26-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-33-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-32-0x0000000000530000-0x0000000000532000-memory.dmp

memory/1588-35-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2908-31-0x0000000004300000-0x0000000004302000-memory.dmp

memory/2096-30-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1588-28-0x0000000000530000-0x0000000000532000-memory.dmp

memory/1588-11-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-10-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2908-17-0x0000000004300000-0x0000000004302000-memory.dmp

memory/1588-16-0x0000000001B50000-0x0000000001B51000-memory.dmp

memory/1588-36-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-37-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-38-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-39-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-40-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-41-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-43-0x0000000000780000-0x000000000183A000-memory.dmp

memory/5088-51-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1588-52-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-53-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-55-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-56-0x0000000000780000-0x000000000183A000-memory.dmp

memory/5088-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/5088-65-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2096-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/5088-62-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2096-60-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2096-59-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1588-66-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-68-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-71-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-73-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-74-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-75-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-76-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-78-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-80-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-82-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-83-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-94-0x0000000000530000-0x0000000000532000-memory.dmp

memory/1588-86-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1588-103-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2096-107-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 b3c97e06a1fb80fb2123106d6c8318d5
SHA1 c4a038e8b0ae1fc7d585e5a18207323a3a8c714e
SHA256 b0eeb329fc87ee48bf2c255559fbf78cf8d636e2cab7389226583a33ebf6a390
SHA512 aaf3109dbbecb4454d81cc09fe09d8080a0332f4f6f1c2aeba2ad91b068a438d0a416378a43203fa7b10075b2ce53c8962dd5774efb60d5b905b52557f6e13f9

memory/5088-131-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/5088-132-0x0000000000400000-0x0000000000412000-memory.dmp