Malware Analysis Report

2024-09-11 12:26

Sample ID 240611-d2t1jssenc
Target d0cae67deec0c50c58d043057aec6a83c9710f9096b6f7af3792b42102d36c24
SHA256 d0cae67deec0c50c58d043057aec6a83c9710f9096b6f7af3792b42102d36c24
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0cae67deec0c50c58d043057aec6a83c9710f9096b6f7af3792b42102d36c24

Threat Level: Known bad

The file d0cae67deec0c50c58d043057aec6a83c9710f9096b6f7af3792b42102d36c24 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Windows security bypass

Modifies firewall policy service

Sality

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Loads dropped DLL

Executes dropped EXE

UPX packed file

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 03:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 03:30

Reported

2024-06-11 03:33

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7634f5.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f761989 C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
File created C:\Windows\f7669ea C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 1988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1628 wrote to memory of 1988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1628 wrote to memory of 1988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1628 wrote to memory of 1988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1628 wrote to memory of 1988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1628 wrote to memory of 1988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1628 wrote to memory of 1988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1988 wrote to memory of 2292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76193b.exe
PID 1988 wrote to memory of 2292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76193b.exe
PID 1988 wrote to memory of 2292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76193b.exe
PID 1988 wrote to memory of 2292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76193b.exe
PID 2292 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe C:\Windows\system32\taskhost.exe
PID 2292 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe C:\Windows\system32\Dwm.exe
PID 2292 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe C:\Windows\Explorer.EXE
PID 2292 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe C:\Windows\system32\DllHost.exe
PID 2292 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe C:\Windows\system32\rundll32.exe
PID 2292 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe C:\Windows\SysWOW64\rundll32.exe
PID 1988 wrote to memory of 2384 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761af0.exe
PID 1988 wrote to memory of 2384 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761af0.exe
PID 1988 wrote to memory of 2384 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761af0.exe
PID 1988 wrote to memory of 2384 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761af0.exe
PID 1988 wrote to memory of 1768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7634f5.exe
PID 1988 wrote to memory of 1768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7634f5.exe
PID 1988 wrote to memory of 1768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7634f5.exe
PID 1988 wrote to memory of 1768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7634f5.exe
PID 2292 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe C:\Windows\system32\taskhost.exe
PID 2292 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe C:\Windows\system32\Dwm.exe
PID 2292 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe C:\Windows\Explorer.EXE
PID 2292 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe C:\Users\Admin\AppData\Local\Temp\f761af0.exe
PID 2292 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe C:\Users\Admin\AppData\Local\Temp\f761af0.exe
PID 2292 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe C:\Users\Admin\AppData\Local\Temp\f7634f5.exe
PID 2292 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\f76193b.exe C:\Users\Admin\AppData\Local\Temp\f7634f5.exe
PID 2384 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe C:\Windows\system32\taskhost.exe
PID 2384 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe C:\Windows\system32\Dwm.exe
PID 2384 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76193b.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0cae67deec0c50c58d043057aec6a83c9710f9096b6f7af3792b42102d36c24.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0cae67deec0c50c58d043057aec6a83c9710f9096b6f7af3792b42102d36c24.dll,#1

C:\Users\Admin\AppData\Local\Temp\f76193b.exe

C:\Users\Admin\AppData\Local\Temp\f76193b.exe

C:\Users\Admin\AppData\Local\Temp\f761af0.exe

C:\Users\Admin\AppData\Local\Temp\f761af0.exe

C:\Users\Admin\AppData\Local\Temp\f7634f5.exe

C:\Users\Admin\AppData\Local\Temp\f7634f5.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\f76193b.exe

MD5 ddb9a26210fd0852ecd7b071893f6415
SHA1 97db1f9dabb1da3047e5c382693058826242c7e3
SHA256 55dfc2182b592e49a72ab8569bdbbf8e60dbb9fd6598f0248b61fe45de80486b
SHA512 0ac2abef3d96a76426723ba70bc5abbd1c8192fb12a6c8543a25cd1dfbdf1f9ceec5b5cf57ea324d293e5f6267d49aae9be6208ecd784e2f115fad5849901c43

memory/1988-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2292-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1988-10-0x0000000000180000-0x0000000000192000-memory.dmp

memory/1988-9-0x0000000000180000-0x0000000000192000-memory.dmp

memory/2292-13-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2292-16-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2292-15-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2292-20-0x0000000000590000-0x000000000164A000-memory.dmp

memory/1988-37-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/1092-29-0x0000000000160000-0x0000000000162000-memory.dmp

memory/2292-18-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2292-23-0x0000000000590000-0x000000000164A000-memory.dmp

memory/1988-38-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2292-47-0x00000000016A0000-0x00000000016A1000-memory.dmp

memory/2292-49-0x0000000001690000-0x0000000001692000-memory.dmp

memory/2292-50-0x0000000001690000-0x0000000001692000-memory.dmp

memory/1988-46-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2292-22-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2292-21-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2292-19-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2292-17-0x0000000000590000-0x000000000164A000-memory.dmp

memory/1988-59-0x0000000000230000-0x0000000000242000-memory.dmp

memory/2384-60-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1988-57-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2292-61-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2292-62-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2292-63-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2292-64-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2292-65-0x0000000000590000-0x000000000164A000-memory.dmp

memory/1988-75-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/1988-78-0x0000000000180000-0x0000000000182000-memory.dmp

memory/1768-79-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2292-80-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2292-81-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2292-83-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2384-93-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2384-94-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1768-101-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1768-100-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2384-102-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1768-103-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2292-104-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2292-106-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2292-114-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2292-153-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2292-152-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 77fc548b70a0dbefda197918b6f2f05a
SHA1 f2c30d6320e98c930b65e5140e05416b60272293
SHA256 575dcd087de8b0b39a6b7fa1144862be94f30bee4451c978a442f173da167a85
SHA512 bc7d89e51431a13598203579ac2dd10f0acf8159052bc3502fd95ec6217edf311a0155509653046c36e6034ba13547aab9d23686520d5647c95783f9fc0975a1

memory/2384-165-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2384-186-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2384-187-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/1768-191-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 03:30

Reported

2024-06-11 03:33

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

152s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e577d6d.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57b0d1 C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A
File created C:\Windows\e576012 C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4596 wrote to memory of 1508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4596 wrote to memory of 1508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4596 wrote to memory of 1508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1508 wrote to memory of 4956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575fb4.exe
PID 1508 wrote to memory of 4956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575fb4.exe
PID 1508 wrote to memory of 4956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575fb4.exe
PID 4956 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\system32\fontdrvhost.exe
PID 4956 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\system32\fontdrvhost.exe
PID 4956 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\system32\dwm.exe
PID 4956 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\system32\sihost.exe
PID 4956 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\system32\svchost.exe
PID 4956 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\system32\taskhostw.exe
PID 4956 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\Explorer.EXE
PID 4956 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\system32\svchost.exe
PID 4956 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\system32\DllHost.exe
PID 4956 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4956 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\System32\RuntimeBroker.exe
PID 4956 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4956 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\System32\RuntimeBroker.exe
PID 4956 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\System32\RuntimeBroker.exe
PID 4956 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4956 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4956 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\system32\rundll32.exe
PID 4956 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\SysWOW64\rundll32.exe
PID 4956 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\SysWOW64\rundll32.exe
PID 1508 wrote to memory of 3496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576254.exe
PID 1508 wrote to memory of 3496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576254.exe
PID 1508 wrote to memory of 3496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576254.exe
PID 1508 wrote to memory of 5060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577d6d.exe
PID 1508 wrote to memory of 5060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577d6d.exe
PID 1508 wrote to memory of 5060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577d6d.exe
PID 4956 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\system32\fontdrvhost.exe
PID 4956 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\system32\fontdrvhost.exe
PID 4956 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\system32\dwm.exe
PID 4956 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\system32\sihost.exe
PID 4956 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\system32\svchost.exe
PID 4956 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\system32\taskhostw.exe
PID 4956 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\Explorer.EXE
PID 4956 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\system32\svchost.exe
PID 4956 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\system32\DllHost.exe
PID 4956 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4956 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\System32\RuntimeBroker.exe
PID 4956 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4956 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\System32\RuntimeBroker.exe
PID 4956 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\System32\RuntimeBroker.exe
PID 4956 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4956 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Users\Admin\AppData\Local\Temp\e576254.exe
PID 4956 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Users\Admin\AppData\Local\Temp\e576254.exe
PID 4956 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\System32\RuntimeBroker.exe
PID 4956 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Windows\System32\RuntimeBroker.exe
PID 4956 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Users\Admin\AppData\Local\Temp\e577d6d.exe
PID 4956 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\e575fb4.exe C:\Users\Admin\AppData\Local\Temp\e577d6d.exe
PID 3496 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e576254.exe C:\Windows\system32\fontdrvhost.exe
PID 3496 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e576254.exe C:\Windows\system32\fontdrvhost.exe
PID 3496 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\e576254.exe C:\Windows\system32\dwm.exe
PID 3496 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e576254.exe C:\Windows\system32\sihost.exe
PID 3496 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\e576254.exe C:\Windows\system32\svchost.exe
PID 3496 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\e576254.exe C:\Windows\system32\taskhostw.exe
PID 3496 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\e576254.exe C:\Windows\Explorer.EXE
PID 3496 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\e576254.exe C:\Windows\system32\svchost.exe
PID 3496 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\e576254.exe C:\Windows\system32\DllHost.exe
PID 3496 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e576254.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3496 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\e576254.exe C:\Windows\System32\RuntimeBroker.exe
PID 3496 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\e576254.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575fb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576254.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0cae67deec0c50c58d043057aec6a83c9710f9096b6f7af3792b42102d36c24.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0cae67deec0c50c58d043057aec6a83c9710f9096b6f7af3792b42102d36c24.dll,#1

C:\Users\Admin\AppData\Local\Temp\e575fb4.exe

C:\Users\Admin\AppData\Local\Temp\e575fb4.exe

C:\Users\Admin\AppData\Local\Temp\e576254.exe

C:\Users\Admin\AppData\Local\Temp\e576254.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e577d6d.exe

C:\Users\Admin\AppData\Local\Temp\e577d6d.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1508-2-0x0000000010000000-0x0000000010020000-memory.dmp

memory/4956-4-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e575fb4.exe

MD5 ddb9a26210fd0852ecd7b071893f6415
SHA1 97db1f9dabb1da3047e5c382693058826242c7e3
SHA256 55dfc2182b592e49a72ab8569bdbbf8e60dbb9fd6598f0248b61fe45de80486b
SHA512 0ac2abef3d96a76426723ba70bc5abbd1c8192fb12a6c8543a25cd1dfbdf1f9ceec5b5cf57ea324d293e5f6267d49aae9be6208ecd784e2f115fad5849901c43

memory/4956-9-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-8-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-17-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-20-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-18-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-21-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-22-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-32-0x0000000003520000-0x0000000003522000-memory.dmp

memory/1508-31-0x00000000039C0000-0x00000000039C1000-memory.dmp

memory/1508-30-0x00000000039B0000-0x00000000039B2000-memory.dmp

memory/1508-27-0x00000000039B0000-0x00000000039B2000-memory.dmp

memory/4956-26-0x0000000004370000-0x0000000004371000-memory.dmp

memory/1508-23-0x00000000039B0000-0x00000000039B2000-memory.dmp

memory/4956-11-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-19-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-10-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3496-36-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4956-35-0x0000000003520000-0x0000000003522000-memory.dmp

memory/4956-37-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-38-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-39-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-40-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-41-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/5060-50-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4956-51-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-52-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-53-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-55-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/5060-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3496-60-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/5060-59-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3496-57-0x0000000000570000-0x0000000000571000-memory.dmp

memory/5060-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3496-62-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/4956-64-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-66-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-68-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-71-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-73-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-74-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-75-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-76-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-78-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-89-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4956-92-0x0000000003520000-0x0000000003522000-memory.dmp

memory/4956-104-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 1ac5893c57d5883f85cf5dac61614d1f
SHA1 3f02ba59ac27e09b77f2273580bcea2589287178
SHA256 10474db6fadce0bd056c206c177177c39ef306708290ac8ec55cb1fc50a36118
SHA512 1470fec7c586e77839eea34bd3ac3683898d4adb0d2d7209e785547d65b9166f24c34df44a5ad4f7d3322b19eeae5c7562fd1a8c0a1031e365e70d8dbee81f3d

memory/3496-116-0x0000000000B20000-0x0000000001BDA000-memory.dmp

memory/3496-141-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3496-140-0x0000000000B20000-0x0000000001BDA000-memory.dmp

memory/5060-145-0x0000000000400000-0x0000000000412000-memory.dmp