Malware Analysis Report

2024-09-11 12:39

Sample ID 240611-2cre5athmb
Target 5d6316649c5b485b1ff441fbdd88f70d28caa1a4ff60f0e96ad94969ef515003
SHA256 5d6316649c5b485b1ff441fbdd88f70d28caa1a4ff60f0e96ad94969ef515003
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d6316649c5b485b1ff441fbdd88f70d28caa1a4ff60f0e96ad94969ef515003

Threat Level: Known bad

The file 5d6316649c5b485b1ff441fbdd88f70d28caa1a4ff60f0e96ad94969ef515003 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Windows security bypass

Modifies firewall policy service

Sality

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX packed file

Loads dropped DLL

Executes dropped EXE

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 22:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 22:26

Reported

2024-06-11 22:29

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761a73.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f76192c C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
File created C:\Windows\f766a19 C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 1956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 1956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 1956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 1956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 1956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 1956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 1956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1956 wrote to memory of 972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7618de.exe
PID 1956 wrote to memory of 972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7618de.exe
PID 1956 wrote to memory of 972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7618de.exe
PID 1956 wrote to memory of 972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7618de.exe
PID 972 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe C:\Windows\system32\taskhost.exe
PID 972 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe C:\Windows\system32\Dwm.exe
PID 972 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe C:\Windows\Explorer.EXE
PID 972 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe C:\Windows\system32\DllHost.exe
PID 972 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe C:\Windows\system32\rundll32.exe
PID 972 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe C:\Windows\SysWOW64\rundll32.exe
PID 972 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe C:\Windows\SysWOW64\rundll32.exe
PID 1956 wrote to memory of 3052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761a73.exe
PID 1956 wrote to memory of 3052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761a73.exe
PID 1956 wrote to memory of 3052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761a73.exe
PID 1956 wrote to memory of 3052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761a73.exe
PID 1956 wrote to memory of 1696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763498.exe
PID 1956 wrote to memory of 1696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763498.exe
PID 1956 wrote to memory of 1696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763498.exe
PID 1956 wrote to memory of 1696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763498.exe
PID 972 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe C:\Windows\system32\taskhost.exe
PID 972 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe C:\Windows\system32\Dwm.exe
PID 972 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe C:\Windows\Explorer.EXE
PID 972 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe C:\Users\Admin\AppData\Local\Temp\f761a73.exe
PID 972 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe C:\Users\Admin\AppData\Local\Temp\f761a73.exe
PID 972 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe C:\Users\Admin\AppData\Local\Temp\f763498.exe
PID 972 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\f7618de.exe C:\Users\Admin\AppData\Local\Temp\f763498.exe
PID 1696 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe C:\Windows\system32\taskhost.exe
PID 1696 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe C:\Windows\system32\Dwm.exe
PID 1696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\f763498.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7618de.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763498.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d6316649c5b485b1ff441fbdd88f70d28caa1a4ff60f0e96ad94969ef515003.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d6316649c5b485b1ff441fbdd88f70d28caa1a4ff60f0e96ad94969ef515003.dll,#1

C:\Users\Admin\AppData\Local\Temp\f7618de.exe

C:\Users\Admin\AppData\Local\Temp\f7618de.exe

C:\Users\Admin\AppData\Local\Temp\f761a73.exe

C:\Users\Admin\AppData\Local\Temp\f761a73.exe

C:\Users\Admin\AppData\Local\Temp\f763498.exe

C:\Users\Admin\AppData\Local\Temp\f763498.exe

Network

N/A

Files

memory/1956-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f7618de.exe

MD5 c53a766b928f7055887fd04c8e8f4e16
SHA1 43a41fc186dc4f1f0e3609fee210296f081a5d5f
SHA256 10463f0db938f1989e7264609d4ca56712cce37d0c060a8dfbc4323cf828b916
SHA512 e246ce5111bf18683ed3636aeae123bce6afeeddc67e59dadf4ec1dca45d574a22a4ef3744fddf6995ea58af77dc68a43673e96f268d331b274baccc6e5b01d8

memory/972-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1956-10-0x00000000001B0000-0x00000000001C2000-memory.dmp

memory/1956-8-0x00000000001B0000-0x00000000001C2000-memory.dmp

memory/972-15-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/972-19-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/972-14-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/3052-56-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1956-55-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1956-34-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1956-33-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/972-17-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/972-22-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/972-44-0x00000000004D0000-0x00000000004D1000-memory.dmp

memory/1956-43-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/972-16-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/1072-24-0x00000000002D0000-0x00000000002D2000-memory.dmp

memory/972-21-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/972-20-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/972-18-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/1956-54-0x0000000000200000-0x0000000000212000-memory.dmp

memory/1956-52-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/972-62-0x00000000004C0000-0x00000000004C2000-memory.dmp

memory/972-63-0x00000000004C0000-0x00000000004C2000-memory.dmp

memory/972-23-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/972-64-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/972-65-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/972-66-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/972-67-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/972-68-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/1956-82-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/1956-79-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1956-78-0x0000000000240000-0x0000000000252000-memory.dmp

memory/972-84-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/972-81-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/972-86-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/972-88-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/972-89-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/3052-99-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/3052-98-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/3052-100-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1696-107-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1696-106-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1696-108-0x0000000000260000-0x0000000000262000-memory.dmp

memory/972-121-0x00000000004C0000-0x00000000004C2000-memory.dmp

memory/972-150-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/972-151-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3052-155-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 2080f7983abd6a7e870e88f7781d6d76
SHA1 e2105d67bbc1044326839cffc23db07fb0f2fa7c
SHA256 d6f79ce7e474be94c75ef6a83f65997b34da16f26d9e4217860587c3cd4ef4e9
SHA512 fd755cbee89d274630dc839f472628c2e8272a30bca34c3300af8571c90177aa7f40eee86468dce19b627606cde2b4d86b173123a7fbe25b262fa76b927f10b0

memory/1696-161-0x0000000000A00000-0x0000000001ABA000-memory.dmp

memory/1696-205-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1696-206-0x0000000000A00000-0x0000000001ABA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 22:26

Reported

2024-06-11 22:29

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

152s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5769c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57683f C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
File created C:\Windows\e57c8de C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3592 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3592 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3592 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2384 wrote to memory of 4412 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5767f1.exe
PID 2384 wrote to memory of 4412 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5767f1.exe
PID 2384 wrote to memory of 4412 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5767f1.exe
PID 4412 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\fontdrvhost.exe
PID 4412 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\fontdrvhost.exe
PID 4412 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\dwm.exe
PID 4412 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\sihost.exe
PID 4412 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\svchost.exe
PID 4412 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\taskhostw.exe
PID 4412 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\Explorer.EXE
PID 4412 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\svchost.exe
PID 4412 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\DllHost.exe
PID 4412 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4412 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\System32\RuntimeBroker.exe
PID 4412 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4412 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\System32\RuntimeBroker.exe
PID 4412 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4412 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\System32\RuntimeBroker.exe
PID 4412 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4412 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4412 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\rundll32.exe
PID 4412 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\SysWOW64\rundll32.exe
PID 4412 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\SysWOW64\rundll32.exe
PID 2384 wrote to memory of 2884 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5769c6.exe
PID 2384 wrote to memory of 2884 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5769c6.exe
PID 2384 wrote to memory of 2884 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5769c6.exe
PID 4412 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\fontdrvhost.exe
PID 4412 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\fontdrvhost.exe
PID 4412 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\dwm.exe
PID 4412 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\sihost.exe
PID 4412 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\svchost.exe
PID 4412 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\taskhostw.exe
PID 4412 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\Explorer.EXE
PID 4412 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\svchost.exe
PID 4412 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\DllHost.exe
PID 4412 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4412 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\System32\RuntimeBroker.exe
PID 4412 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4412 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\System32\RuntimeBroker.exe
PID 4412 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4412 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\System32\RuntimeBroker.exe
PID 4412 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4412 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4412 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\system32\rundll32.exe
PID 4412 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Users\Admin\AppData\Local\Temp\e5769c6.exe
PID 4412 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Users\Admin\AppData\Local\Temp\e5769c6.exe
PID 4412 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\System32\RuntimeBroker.exe
PID 4412 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe C:\Windows\System32\RuntimeBroker.exe
PID 2384 wrote to memory of 3584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe
PID 2384 wrote to memory of 3584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe
PID 2384 wrote to memory of 3584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe
PID 3584 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe C:\Windows\system32\fontdrvhost.exe
PID 3584 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe C:\Windows\system32\fontdrvhost.exe
PID 3584 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe C:\Windows\system32\dwm.exe
PID 3584 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe C:\Windows\system32\sihost.exe
PID 3584 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe C:\Windows\system32\svchost.exe
PID 3584 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe C:\Windows\system32\taskhostw.exe
PID 3584 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe C:\Windows\Explorer.EXE
PID 3584 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe C:\Windows\system32\svchost.exe
PID 3584 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe C:\Windows\system32\DllHost.exe
PID 3584 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d6316649c5b485b1ff441fbdd88f70d28caa1a4ff60f0e96ad94969ef515003.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d6316649c5b485b1ff441fbdd88f70d28caa1a4ff60f0e96ad94969ef515003.dll,#1

C:\Users\Admin\AppData\Local\Temp\e5767f1.exe

C:\Users\Admin\AppData\Local\Temp\e5767f1.exe

C:\Users\Admin\AppData\Local\Temp\e5769c6.exe

C:\Users\Admin\AppData\Local\Temp\e5769c6.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe

C:\Users\Admin\AppData\Local\Temp\e57a0b4.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2384-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5767f1.exe

MD5 c53a766b928f7055887fd04c8e8f4e16
SHA1 43a41fc186dc4f1f0e3609fee210296f081a5d5f
SHA256 10463f0db938f1989e7264609d4ca56712cce37d0c060a8dfbc4323cf828b916
SHA512 e246ce5111bf18683ed3636aeae123bce6afeeddc67e59dadf4ec1dca45d574a22a4ef3744fddf6995ea58af77dc68a43673e96f268d331b274baccc6e5b01d8

memory/4412-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4412-10-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/4412-18-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/4412-30-0x0000000004230000-0x0000000004231000-memory.dmp

memory/4412-28-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/4412-20-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/4412-36-0x00000000007B0000-0x00000000007B2000-memory.dmp

memory/4412-35-0x00000000007B0000-0x00000000007B2000-memory.dmp

memory/2884-34-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4412-19-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/4412-12-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2384-27-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

memory/2384-26-0x0000000000F60000-0x0000000000F62000-memory.dmp

memory/2384-23-0x0000000000F60000-0x0000000000F62000-memory.dmp

memory/4412-9-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2384-21-0x0000000000F60000-0x0000000000F62000-memory.dmp

memory/4412-11-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/4412-6-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/4412-31-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/4412-37-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/4412-38-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/4412-39-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2884-42-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2884-41-0x0000000000420000-0x0000000000421000-memory.dmp

memory/2884-44-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/4412-43-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/4412-45-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/4412-47-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/3584-52-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2384-53-0x0000000000F60000-0x0000000000F62000-memory.dmp

memory/4412-56-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/4412-58-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/4412-64-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/4412-66-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/4412-67-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/4412-68-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/4412-70-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/4412-78-0x00000000007B0000-0x00000000007B2000-memory.dmp

memory/4412-90-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2884-94-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3584-101-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/3584-98-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/3584-111-0x00000000007F0000-0x00000000018AA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 42ad66d070e91a66f8a9118b4be21f88
SHA1 7e87b7aed41a91d141fff077c23eb0055f716e9a
SHA256 5b9e24b77b2c4a10270798b864009d29c3ca1ac5adcc6a27ca3c58680781532b
SHA512 ad35515b774d420e710ff8b0f690d1a288b0916e64e9cd1544fe46dda9057139cdb5c066b92b7b0886c4226e9428e1fe5c0bfd5eaeafbaec1cc14be8f06600f5

memory/3584-95-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/3584-147-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3584-148-0x00000000007F0000-0x00000000018AA000-memory.dmp