Malware Analysis Report

2024-09-11 12:49

Sample ID 240611-2sd5qsvepm
Target 6554d688ac75ae216f638d44a1079aecd643d81b33240691da7c6e884b01b3d4
SHA256 6554d688ac75ae216f638d44a1079aecd643d81b33240691da7c6e884b01b3d4
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6554d688ac75ae216f638d44a1079aecd643d81b33240691da7c6e884b01b3d4

Threat Level: Known bad

The file 6554d688ac75ae216f638d44a1079aecd643d81b33240691da7c6e884b01b3d4 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Sality

Modifies firewall policy service

Windows security bypass

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 22:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 22:50

Reported

2024-06-11 22:52

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76343a.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f7618ce C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
File created C:\Windows\f766900 C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761880.exe
PID 2100 wrote to memory of 972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761880.exe
PID 2100 wrote to memory of 972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761880.exe
PID 2100 wrote to memory of 972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761880.exe
PID 972 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe C:\Windows\system32\taskhost.exe
PID 972 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe C:\Windows\system32\Dwm.exe
PID 972 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe C:\Windows\Explorer.EXE
PID 972 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe C:\Windows\system32\DllHost.exe
PID 972 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe C:\Windows\system32\rundll32.exe
PID 972 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe C:\Windows\SysWOW64\rundll32.exe
PID 972 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 2332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761a16.exe
PID 2100 wrote to memory of 2332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761a16.exe
PID 2100 wrote to memory of 2332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761a16.exe
PID 2100 wrote to memory of 2332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761a16.exe
PID 2100 wrote to memory of 2204 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76343a.exe
PID 2100 wrote to memory of 2204 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76343a.exe
PID 2100 wrote to memory of 2204 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76343a.exe
PID 2100 wrote to memory of 2204 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76343a.exe
PID 972 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe C:\Windows\system32\taskhost.exe
PID 972 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe C:\Windows\system32\Dwm.exe
PID 972 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe C:\Windows\Explorer.EXE
PID 972 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe C:\Users\Admin\AppData\Local\Temp\f761a16.exe
PID 972 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe C:\Users\Admin\AppData\Local\Temp\f761a16.exe
PID 972 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe C:\Users\Admin\AppData\Local\Temp\f76343a.exe
PID 972 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\f761880.exe C:\Users\Admin\AppData\Local\Temp\f76343a.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761880.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761a16.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6554d688ac75ae216f638d44a1079aecd643d81b33240691da7c6e884b01b3d4.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6554d688ac75ae216f638d44a1079aecd643d81b33240691da7c6e884b01b3d4.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761880.exe

C:\Users\Admin\AppData\Local\Temp\f761880.exe

C:\Users\Admin\AppData\Local\Temp\f761a16.exe

C:\Users\Admin\AppData\Local\Temp\f761a16.exe

C:\Users\Admin\AppData\Local\Temp\f76343a.exe

C:\Users\Admin\AppData\Local\Temp\f76343a.exe

Network

N/A

Files

memory/2100-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f761880.exe

MD5 86fa12cf2d07b4e3129c95d8fa7bccdf
SHA1 4647aa41cce35377a76f352f764dcbbbeac6f83e
SHA256 4f94894fd178d59a9526316219c7f46a24462367819cd207428a2facd3ea1599
SHA512 b9bbf4d75d04dab65a585fcce3a032793560f5d78a2f8d0bc38630fe97bd61ed9d883ac328964e1e4073867416179e97fbd1318f45dc7be0e32bd90e4c1fac65

memory/2100-4-0x0000000000190000-0x00000000001A2000-memory.dmp

memory/2100-9-0x0000000000190000-0x00000000001A2000-memory.dmp

memory/972-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/972-14-0x0000000000590000-0x000000000164A000-memory.dmp

memory/972-15-0x0000000000590000-0x000000000164A000-memory.dmp

memory/972-16-0x0000000000590000-0x000000000164A000-memory.dmp

memory/972-18-0x0000000000590000-0x000000000164A000-memory.dmp

memory/972-20-0x0000000000590000-0x000000000164A000-memory.dmp

memory/972-22-0x0000000000590000-0x000000000164A000-memory.dmp

memory/972-21-0x0000000000590000-0x000000000164A000-memory.dmp

memory/972-23-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2100-49-0x0000000000200000-0x0000000000201000-memory.dmp

memory/972-52-0x00000000002C0000-0x00000000002C2000-memory.dmp

memory/972-50-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/972-53-0x00000000002C0000-0x00000000002C2000-memory.dmp

memory/2100-40-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2100-39-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1072-29-0x00000000002D0000-0x00000000002D2000-memory.dmp

memory/972-19-0x0000000000590000-0x000000000164A000-memory.dmp

memory/972-17-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2100-61-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2332-64-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2100-63-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2100-62-0x0000000000210000-0x0000000000222000-memory.dmp

memory/972-66-0x0000000000590000-0x000000000164A000-memory.dmp

memory/972-65-0x0000000000590000-0x000000000164A000-memory.dmp

memory/972-67-0x0000000000590000-0x000000000164A000-memory.dmp

memory/972-68-0x0000000000590000-0x000000000164A000-memory.dmp

memory/972-69-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2204-82-0x0000000000400000-0x0000000000412000-memory.dmp

memory/972-83-0x0000000000590000-0x000000000164A000-memory.dmp

memory/972-84-0x0000000000590000-0x000000000164A000-memory.dmp

memory/972-85-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2332-94-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2332-95-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2204-102-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2204-101-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2204-104-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2332-103-0x0000000000260000-0x0000000000262000-memory.dmp

memory/972-105-0x0000000000590000-0x000000000164A000-memory.dmp

memory/972-107-0x0000000000590000-0x000000000164A000-memory.dmp

memory/972-123-0x00000000002C0000-0x00000000002C2000-memory.dmp

memory/972-147-0x0000000000590000-0x000000000164A000-memory.dmp

memory/972-146-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 7b65699e8430354ed659e02f0b1252be
SHA1 4af475bcfbb79832e35c05896e01e1eb6f7ef7bf
SHA256 147fbf6f50239a2d3deaba44c3a271898f91efe52296bd5aeaba986dae931cc2
SHA512 32adb64660746ae3792dd78f1d795a10f566aa558f5beb14bf0fa590f08f3ad7e61acb30b97408c800cf0ad1e0cce6e1a1438d11e21e77c9df4ddb3338a5e1ad

memory/2332-168-0x0000000000930000-0x00000000019EA000-memory.dmp

memory/2332-172-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2332-173-0x0000000000930000-0x00000000019EA000-memory.dmp

memory/2204-177-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 22:50

Reported

2024-06-11 22:52

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57568c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5771a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
File created C:\Windows\e57a5c5 C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A
File created C:\Windows\e5755e0 C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3280 wrote to memory of 1288 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3280 wrote to memory of 1288 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3280 wrote to memory of 1288 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1288 wrote to memory of 1876 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575582.exe
PID 1288 wrote to memory of 1876 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575582.exe
PID 1288 wrote to memory of 1876 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575582.exe
PID 1876 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\system32\fontdrvhost.exe
PID 1876 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\system32\fontdrvhost.exe
PID 1876 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\system32\dwm.exe
PID 1876 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\system32\sihost.exe
PID 1876 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\system32\svchost.exe
PID 1876 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\system32\taskhostw.exe
PID 1876 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\Explorer.EXE
PID 1876 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\system32\svchost.exe
PID 1876 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\system32\DllHost.exe
PID 1876 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1876 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\System32\RuntimeBroker.exe
PID 1876 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1876 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\System32\RuntimeBroker.exe
PID 1876 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\System32\RuntimeBroker.exe
PID 1876 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1876 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1876 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\system32\rundll32.exe
PID 1876 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\SysWOW64\rundll32.exe
PID 1876 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\SysWOW64\rundll32.exe
PID 1288 wrote to memory of 212 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57568c.exe
PID 1288 wrote to memory of 212 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57568c.exe
PID 1288 wrote to memory of 212 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57568c.exe
PID 1288 wrote to memory of 5036 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5771a6.exe
PID 1288 wrote to memory of 5036 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5771a6.exe
PID 1288 wrote to memory of 5036 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5771a6.exe
PID 1288 wrote to memory of 1548 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5771d4.exe
PID 1288 wrote to memory of 1548 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5771d4.exe
PID 1288 wrote to memory of 1548 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5771d4.exe
PID 1876 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\system32\fontdrvhost.exe
PID 1876 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\system32\fontdrvhost.exe
PID 1876 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\system32\dwm.exe
PID 1876 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\system32\sihost.exe
PID 1876 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\system32\svchost.exe
PID 1876 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\system32\taskhostw.exe
PID 1876 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\Explorer.EXE
PID 1876 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\system32\svchost.exe
PID 1876 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\system32\DllHost.exe
PID 1876 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1876 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\System32\RuntimeBroker.exe
PID 1876 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1876 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\System32\RuntimeBroker.exe
PID 1876 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\System32\RuntimeBroker.exe
PID 1876 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1876 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Users\Admin\AppData\Local\Temp\e57568c.exe
PID 1876 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Users\Admin\AppData\Local\Temp\e57568c.exe
PID 1876 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\System32\RuntimeBroker.exe
PID 1876 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Windows\System32\RuntimeBroker.exe
PID 1876 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Users\Admin\AppData\Local\Temp\e5771a6.exe
PID 1876 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Users\Admin\AppData\Local\Temp\e5771a6.exe
PID 1876 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Users\Admin\AppData\Local\Temp\e5771d4.exe
PID 1876 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\e575582.exe C:\Users\Admin\AppData\Local\Temp\e5771d4.exe
PID 1548 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e5771d4.exe C:\Windows\system32\fontdrvhost.exe
PID 1548 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e5771d4.exe C:\Windows\system32\fontdrvhost.exe
PID 1548 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\e5771d4.exe C:\Windows\system32\dwm.exe
PID 1548 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e5771d4.exe C:\Windows\system32\sihost.exe
PID 1548 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\e5771d4.exe C:\Windows\system32\svchost.exe
PID 1548 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\e5771d4.exe C:\Windows\system32\taskhostw.exe
PID 1548 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\e5771d4.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5771d4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575582.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6554d688ac75ae216f638d44a1079aecd643d81b33240691da7c6e884b01b3d4.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6554d688ac75ae216f638d44a1079aecd643d81b33240691da7c6e884b01b3d4.dll,#1

C:\Users\Admin\AppData\Local\Temp\e575582.exe

C:\Users\Admin\AppData\Local\Temp\e575582.exe

C:\Users\Admin\AppData\Local\Temp\e57568c.exe

C:\Users\Admin\AppData\Local\Temp\e57568c.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e5771a6.exe

C:\Users\Admin\AppData\Local\Temp\e5771a6.exe

C:\Users\Admin\AppData\Local\Temp\e5771d4.exe

C:\Users\Admin\AppData\Local\Temp\e5771d4.exe

Network

Files

memory/1288-0-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e575582.exe

MD5 86fa12cf2d07b4e3129c95d8fa7bccdf
SHA1 4647aa41cce35377a76f352f764dcbbbeac6f83e
SHA256 4f94894fd178d59a9526316219c7f46a24462367819cd207428a2facd3ea1599
SHA512 b9bbf4d75d04dab65a585fcce3a032793560f5d78a2f8d0bc38630fe97bd61ed9d883ac328964e1e4073867416179e97fbd1318f45dc7be0e32bd90e4c1fac65

memory/1876-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1876-10-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-23-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-11-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1288-33-0x0000000003970000-0x0000000003972000-memory.dmp

memory/1876-34-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-22-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-19-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-27-0x0000000001A70000-0x0000000001A72000-memory.dmp

memory/212-26-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1876-24-0x0000000001A70000-0x0000000001A72000-memory.dmp

memory/1288-16-0x0000000003970000-0x0000000003972000-memory.dmp

memory/1288-13-0x0000000003980000-0x0000000003981000-memory.dmp

memory/1288-12-0x0000000003970000-0x0000000003972000-memory.dmp

memory/1876-9-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-15-0x0000000003D30000-0x0000000003D31000-memory.dmp

memory/1876-6-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-35-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-32-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-37-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-36-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-38-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-39-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-40-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-42-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-43-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1548-55-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5036-54-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1876-57-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-59-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-60-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/5036-69-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1548-73-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/5036-72-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/212-71-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1548-70-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1548-68-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/212-66-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/5036-65-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/212-63-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1876-75-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-76-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-78-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-80-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-82-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-83-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-84-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-87-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-89-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-91-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1876-111-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1876-96-0x00000000007F0000-0x00000000018AA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 47bc113843b1ec97e5532eb95bf90cad
SHA1 b65b9ceb497ecee22d7729658490a6bb6a6da848
SHA256 903c7bc650b0340c48721cb5f651b5b430b007a88f921168ae3f94685f9d9761
SHA512 60ed0231ae1baed048a96932c47d3df9a5b56828315add845c08df2acaa46c9e83504024f4a3c1eac296650c59f9f7082786af24728857de447a33e81beb132b

memory/212-124-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1548-127-0x0000000000B60000-0x0000000001C1A000-memory.dmp

memory/5036-144-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1548-163-0x0000000000B60000-0x0000000001C1A000-memory.dmp

memory/1548-164-0x0000000000400000-0x0000000000412000-memory.dmp