Malware Analysis Report

2024-09-11 12:41

Sample ID 240611-bxezqazbqk
Target a5d62dc5b86804bb92a2b7eadfd44d37bd9b4e3c421a553f846a9ffd8ca86d75
SHA256 a5d62dc5b86804bb92a2b7eadfd44d37bd9b4e3c421a553f846a9ffd8ca86d75
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a5d62dc5b86804bb92a2b7eadfd44d37bd9b4e3c421a553f846a9ffd8ca86d75

Threat Level: Known bad

The file a5d62dc5b86804bb92a2b7eadfd44d37bd9b4e3c421a553f846a9ffd8ca86d75 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Modifies firewall policy service

Sality

Windows security bypass

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

Windows security modification

UPX packed file

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 01:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 01:31

Reported

2024-06-11 01:33

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576968.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57689d C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
File created C:\Windows\e57d3bb C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4384 wrote to memory of 2620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4384 wrote to memory of 2620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4384 wrote to memory of 2620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2620 wrote to memory of 3168 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57684f.exe
PID 2620 wrote to memory of 3168 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57684f.exe
PID 2620 wrote to memory of 3168 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57684f.exe
PID 3168 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\system32\fontdrvhost.exe
PID 3168 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\system32\fontdrvhost.exe
PID 3168 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\system32\dwm.exe
PID 3168 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\system32\sihost.exe
PID 3168 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\system32\svchost.exe
PID 3168 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\system32\taskhostw.exe
PID 3168 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\Explorer.EXE
PID 3168 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\system32\svchost.exe
PID 3168 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\system32\DllHost.exe
PID 3168 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3168 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\System32\RuntimeBroker.exe
PID 3168 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3168 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\System32\RuntimeBroker.exe
PID 3168 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\System32\RuntimeBroker.exe
PID 3168 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3168 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3168 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\system32\rundll32.exe
PID 3168 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\SysWOW64\rundll32.exe
PID 3168 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\SysWOW64\rundll32.exe
PID 2620 wrote to memory of 2588 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576968.exe
PID 2620 wrote to memory of 2588 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576968.exe
PID 2620 wrote to memory of 2588 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576968.exe
PID 2620 wrote to memory of 3568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5784d0.exe
PID 2620 wrote to memory of 3568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5784d0.exe
PID 2620 wrote to memory of 3568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5784d0.exe
PID 3168 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\system32\fontdrvhost.exe
PID 3168 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\system32\fontdrvhost.exe
PID 3168 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\system32\dwm.exe
PID 3168 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\system32\sihost.exe
PID 3168 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\system32\svchost.exe
PID 3168 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\system32\taskhostw.exe
PID 3168 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\Explorer.EXE
PID 3168 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\system32\svchost.exe
PID 3168 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\system32\DllHost.exe
PID 3168 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3168 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\System32\RuntimeBroker.exe
PID 3168 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3168 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\System32\RuntimeBroker.exe
PID 3168 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\System32\RuntimeBroker.exe
PID 3168 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3168 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Users\Admin\AppData\Local\Temp\e576968.exe
PID 3168 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Users\Admin\AppData\Local\Temp\e576968.exe
PID 3168 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\System32\RuntimeBroker.exe
PID 3168 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Windows\System32\RuntimeBroker.exe
PID 3168 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Users\Admin\AppData\Local\Temp\e5784d0.exe
PID 3168 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\e57684f.exe C:\Users\Admin\AppData\Local\Temp\e5784d0.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57684f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5784d0.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a5d62dc5b86804bb92a2b7eadfd44d37bd9b4e3c421a553f846a9ffd8ca86d75.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a5d62dc5b86804bb92a2b7eadfd44d37bd9b4e3c421a553f846a9ffd8ca86d75.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57684f.exe

C:\Users\Admin\AppData\Local\Temp\e57684f.exe

C:\Users\Admin\AppData\Local\Temp\e576968.exe

C:\Users\Admin\AppData\Local\Temp\e576968.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e5784d0.exe

C:\Users\Admin\AppData\Local\Temp\e5784d0.exe

Network

Country Destination Domain Proto
US 23.53.113.159:80 tcp

Files

memory/2620-0-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57684f.exe

MD5 bec26dc406f3cb72a8608800d2574a52
SHA1 2c779545e426e78ec78fc434e765198a1b1f91c5
SHA256 f5be4b9c37fe9d442191e2bcd83bd6e3cf59fb064fedc82cbbe358b07f6f5468
SHA512 3c976caa0ad461dbe7f377d509929ea3ae5fbaa850bd295501ebc8290a134d93d2a40efda4479211302865ce5fc1223153e83840b8cf6f51337252b884ad4b9e

memory/3168-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3168-13-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-6-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-17-0x0000000003E70000-0x0000000003E71000-memory.dmp

memory/2620-28-0x0000000004090000-0x0000000004091000-memory.dmp

memory/2620-27-0x0000000003B20000-0x0000000003B22000-memory.dmp

memory/3168-11-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2620-20-0x0000000003B20000-0x0000000003B22000-memory.dmp

memory/3168-29-0x0000000003660000-0x0000000003662000-memory.dmp

memory/2620-14-0x0000000003B20000-0x0000000003B22000-memory.dmp

memory/3168-9-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-8-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-12-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-31-0x0000000003660000-0x0000000003662000-memory.dmp

memory/2588-36-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3168-30-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-34-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-26-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-38-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-35-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-37-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-39-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-40-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-41-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-43-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3568-50-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3168-52-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-53-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-55-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2588-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3568-60-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3568-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2588-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3568-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2588-57-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3168-65-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-66-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-67-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-70-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-72-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-75-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-76-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-79-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-81-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-91-0x0000000003660000-0x0000000003662000-memory.dmp

memory/3168-88-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3168-106-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2588-110-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 002cdb99739ee47b2ddd88f9d675ff99
SHA1 fcdb07eec029cf4da4c3a2fba9ade308c474a163
SHA256 b20a3025eefe848ef5c1855065e73f68ff11eb3fc7ff8acc368e6074f77363b6
SHA512 41782613ad123f2378cf135afce1a55be078c2897e0f5f3477e7f181d954c653fc6fc424bce16c7a80539781ea4c5eba9bc4afdb904d1cb4832bf2942cd3ca07

memory/3568-135-0x0000000000BC0000-0x0000000001C7A000-memory.dmp

memory/3568-134-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 01:31

Reported

2024-06-11 01:33

Platform

win7-20240215-en

Max time kernel

121s

Max time network

126s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7614c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f7613b0 C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
File created C:\Windows\f7663b3 C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2928 wrote to memory of 2572 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761352.exe
PID 2928 wrote to memory of 2572 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761352.exe
PID 2928 wrote to memory of 2572 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761352.exe
PID 2928 wrote to memory of 2572 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761352.exe
PID 2572 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe C:\Windows\system32\taskhost.exe
PID 2572 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe C:\Windows\system32\Dwm.exe
PID 2572 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe C:\Windows\system32\DllHost.exe
PID 2572 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe C:\Windows\system32\rundll32.exe
PID 2572 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe C:\Windows\SysWOW64\rundll32.exe
PID 2928 wrote to memory of 2608 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7614c8.exe
PID 2928 wrote to memory of 2608 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7614c8.exe
PID 2928 wrote to memory of 2608 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7614c8.exe
PID 2928 wrote to memory of 2608 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7614c8.exe
PID 2928 wrote to memory of 1708 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762fe6.exe
PID 2928 wrote to memory of 1708 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762fe6.exe
PID 2928 wrote to memory of 1708 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762fe6.exe
PID 2928 wrote to memory of 1708 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762fe6.exe
PID 2572 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe C:\Windows\system32\taskhost.exe
PID 2572 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe C:\Windows\system32\Dwm.exe
PID 2572 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe C:\Windows\Explorer.EXE
PID 2572 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe C:\Users\Admin\AppData\Local\Temp\f7614c8.exe
PID 2572 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe C:\Users\Admin\AppData\Local\Temp\f7614c8.exe
PID 2572 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe C:\Users\Admin\AppData\Local\Temp\f762fe6.exe
PID 2572 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\f761352.exe C:\Users\Admin\AppData\Local\Temp\f762fe6.exe
PID 1708 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe C:\Windows\system32\taskhost.exe
PID 1708 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe C:\Windows\system32\Dwm.exe
PID 1708 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\f762fe6.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761352.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762fe6.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a5d62dc5b86804bb92a2b7eadfd44d37bd9b4e3c421a553f846a9ffd8ca86d75.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a5d62dc5b86804bb92a2b7eadfd44d37bd9b4e3c421a553f846a9ffd8ca86d75.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761352.exe

C:\Users\Admin\AppData\Local\Temp\f761352.exe

C:\Users\Admin\AppData\Local\Temp\f7614c8.exe

C:\Users\Admin\AppData\Local\Temp\f7614c8.exe

C:\Users\Admin\AppData\Local\Temp\f762fe6.exe

C:\Users\Admin\AppData\Local\Temp\f762fe6.exe

Network

N/A

Files

memory/2928-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f761352.exe

MD5 bec26dc406f3cb72a8608800d2574a52
SHA1 2c779545e426e78ec78fc434e765198a1b1f91c5
SHA256 f5be4b9c37fe9d442191e2bcd83bd6e3cf59fb064fedc82cbbe358b07f6f5468
SHA512 3c976caa0ad461dbe7f377d509929ea3ae5fbaa850bd295501ebc8290a134d93d2a40efda4479211302865ce5fc1223153e83840b8cf6f51337252b884ad4b9e

memory/2572-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2928-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2928-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2572-15-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2572-19-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2572-48-0x0000000000570000-0x0000000000571000-memory.dmp

memory/2608-61-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2928-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2928-58-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2572-62-0x0000000000560000-0x0000000000562000-memory.dmp

memory/2572-63-0x0000000000560000-0x0000000000562000-memory.dmp

memory/2572-17-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2572-18-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2928-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2572-21-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2928-49-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2572-20-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2928-39-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2572-22-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2928-38-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1104-28-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2572-14-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2572-16-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2572-42-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2572-64-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2572-65-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2572-66-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2572-67-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2572-68-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2572-70-0x0000000000690000-0x000000000174A000-memory.dmp

memory/1708-82-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2928-78-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2572-83-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2572-85-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2572-88-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2608-99-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2608-98-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1708-103-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2608-105-0x0000000000220000-0x0000000000222000-memory.dmp

memory/1708-106-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2572-107-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2572-134-0x0000000000560000-0x0000000000562000-memory.dmp

memory/2572-154-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2572-153-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2608-158-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 7b7588b38b0a3afc7085fd4faf56f447
SHA1 0329b316a8d92b977be9a1c0c8d441f0c2337489
SHA256 0233baa8e8d7af23f2ad3b08ece0a5004226c896d7b6212cdb384f5931d200cf
SHA512 cf047c4128daa080528a53340edb1474c3a10c9ad445b404aac95557b65f321beb5a2207f14138584a6c7adeed808f5630b2742519c3bdfa54d441c99aa035b7

memory/1708-165-0x00000000009C0000-0x0000000001A7A000-memory.dmp

memory/1708-208-0x00000000009C0000-0x0000000001A7A000-memory.dmp

memory/1708-209-0x0000000000400000-0x0000000000412000-memory.dmp