Malware Analysis Report

2024-09-11 12:46

Sample ID 240611-f2bkbawbpg
Target fa024891a583066a90234cdde6280bb49d67dc755a5a6e8efcd22568ee264ebf
SHA256 fa024891a583066a90234cdde6280bb49d67dc755a5a6e8efcd22568ee264ebf
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa024891a583066a90234cdde6280bb49d67dc755a5a6e8efcd22568ee264ebf

Threat Level: Known bad

The file fa024891a583066a90234cdde6280bb49d67dc755a5a6e8efcd22568ee264ebf was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

Modifies firewall policy service

UAC bypass

Windows security bypass

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX packed file

Windows security modification

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 05:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 05:21

Reported

2024-06-11 05:24

Platform

win7-20240419-en

Max time kernel

121s

Max time network

121s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f760ff8 C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
File created C:\Windows\f765ffb C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1648 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1648 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1648 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1648 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1648 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1648 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1648 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2056 wrote to memory of 2768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760f9a.exe
PID 2056 wrote to memory of 2768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760f9a.exe
PID 2056 wrote to memory of 2768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760f9a.exe
PID 2056 wrote to memory of 2768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760f9a.exe
PID 2768 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe C:\Windows\system32\taskhost.exe
PID 2768 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe C:\Windows\system32\Dwm.exe
PID 2768 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe C:\Windows\Explorer.EXE
PID 2768 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe C:\Windows\system32\DllHost.exe
PID 2768 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe C:\Windows\system32\rundll32.exe
PID 2768 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe C:\Windows\SysWOW64\rundll32.exe
PID 2768 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe C:\Windows\SysWOW64\rundll32.exe
PID 2056 wrote to memory of 2492 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761101.exe
PID 2056 wrote to memory of 2492 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761101.exe
PID 2056 wrote to memory of 2492 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761101.exe
PID 2056 wrote to memory of 2492 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761101.exe
PID 2056 wrote to memory of 2552 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762b54.exe
PID 2056 wrote to memory of 2552 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762b54.exe
PID 2056 wrote to memory of 2552 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762b54.exe
PID 2056 wrote to memory of 2552 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762b54.exe
PID 2768 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe C:\Windows\system32\taskhost.exe
PID 2768 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe C:\Windows\system32\Dwm.exe
PID 2768 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe C:\Windows\Explorer.EXE
PID 2768 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe C:\Users\Admin\AppData\Local\Temp\f761101.exe
PID 2768 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe C:\Users\Admin\AppData\Local\Temp\f761101.exe
PID 2768 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe C:\Users\Admin\AppData\Local\Temp\f762b54.exe
PID 2768 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\f760f9a.exe C:\Users\Admin\AppData\Local\Temp\f762b54.exe
PID 2552 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe C:\Windows\system32\taskhost.exe
PID 2552 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe C:\Windows\system32\Dwm.exe
PID 2552 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f762b54.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760f9a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762b54.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fa024891a583066a90234cdde6280bb49d67dc755a5a6e8efcd22568ee264ebf.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fa024891a583066a90234cdde6280bb49d67dc755a5a6e8efcd22568ee264ebf.dll,#1

C:\Users\Admin\AppData\Local\Temp\f760f9a.exe

C:\Users\Admin\AppData\Local\Temp\f760f9a.exe

C:\Users\Admin\AppData\Local\Temp\f761101.exe

C:\Users\Admin\AppData\Local\Temp\f761101.exe

C:\Users\Admin\AppData\Local\Temp\f762b54.exe

C:\Users\Admin\AppData\Local\Temp\f762b54.exe

Network

N/A

Files

memory/2056-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f760f9a.exe

MD5 05aef00abfc9d7f47b66c2aaf1e1c136
SHA1 3c1d2bd570c1c36eed565fe6577c0f132f2969c8
SHA256 9e0bbb4a54855736f361e55f3ee3460527cc9db3ea4459e3475f4d23f3aba707
SHA512 43199d4aa36f358752c0426a8efac9b2906e1a3ddf0d1cf3edc4a5ec88c46d51b5abced96da25f2fe9fd4b27154c0f816a75f9fe44fcea08b1ed6df65bdef1ca

memory/2768-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2056-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2768-16-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2768-18-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2768-15-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2768-13-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2768-45-0x00000000017B0000-0x00000000017B1000-memory.dmp

memory/2768-47-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2768-50-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2768-21-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2056-44-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2056-36-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2056-35-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1080-28-0x0000000000210000-0x0000000000212000-memory.dmp

memory/2768-14-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2768-22-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2768-20-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2768-19-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2768-17-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2056-55-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2492-59-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2056-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2056-57-0x0000000000200000-0x0000000000212000-memory.dmp

memory/2768-60-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2768-61-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2768-62-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2768-64-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2768-63-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2768-66-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2768-67-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2552-80-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2056-79-0x0000000000250000-0x0000000000262000-memory.dmp

memory/2768-81-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2768-84-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2768-85-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2552-102-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2492-101-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2552-100-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2552-98-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2768-103-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2492-93-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2492-94-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2768-104-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2768-107-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2768-121-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2768-152-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2768-151-0x0000000000560000-0x000000000161A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 521fcec7f5c20b9575b61354ebe0cf51
SHA1 0a03c57ee75cefd9822fe9d601231b0cf2436fe4
SHA256 a5186deb1b335f0d24e90043c2d343d4f9237ee92de506b0292879f368b45896
SHA512 3833c6dc04cd38f984e972373a3c884e0f2b551c410fe874035f5bcb9670d17b28d77fc427de6dc6fe67d77462393ba3c0961c80ab86f1e065b73b19d50ff7f6

memory/2552-169-0x0000000000920000-0x00000000019DA000-memory.dmp

memory/2492-173-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2552-206-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2552-207-0x0000000000920000-0x00000000019DA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 05:21

Reported

2024-06-11 05:24

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e572c6f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
File created C:\Windows\e579819 C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A
File created C:\Windows\e572b07 C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4940 wrote to memory of 1640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4940 wrote to memory of 1640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4940 wrote to memory of 1640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1640 wrote to memory of 1004 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e572ac9.exe
PID 1640 wrote to memory of 1004 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e572ac9.exe
PID 1640 wrote to memory of 1004 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e572ac9.exe
PID 1004 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\system32\fontdrvhost.exe
PID 1004 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\system32\fontdrvhost.exe
PID 1004 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\system32\dwm.exe
PID 1004 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\system32\sihost.exe
PID 1004 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\system32\svchost.exe
PID 1004 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\system32\taskhostw.exe
PID 1004 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\Explorer.EXE
PID 1004 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\system32\svchost.exe
PID 1004 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\system32\DllHost.exe
PID 1004 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1004 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\System32\RuntimeBroker.exe
PID 1004 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1004 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\System32\RuntimeBroker.exe
PID 1004 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1004 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\System32\RuntimeBroker.exe
PID 1004 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\system32\rundll32.exe
PID 1004 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\SysWOW64\rundll32.exe
PID 1004 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\SysWOW64\rundll32.exe
PID 1640 wrote to memory of 1164 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e572c6f.exe
PID 1640 wrote to memory of 1164 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e572c6f.exe
PID 1640 wrote to memory of 1164 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e572c6f.exe
PID 1640 wrote to memory of 8 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57499c.exe
PID 1640 wrote to memory of 8 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57499c.exe
PID 1640 wrote to memory of 8 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57499c.exe
PID 1004 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\system32\fontdrvhost.exe
PID 1004 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\system32\fontdrvhost.exe
PID 1004 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\system32\dwm.exe
PID 1004 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\system32\sihost.exe
PID 1004 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\system32\svchost.exe
PID 1004 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\system32\taskhostw.exe
PID 1004 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\Explorer.EXE
PID 1004 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\system32\svchost.exe
PID 1004 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\system32\DllHost.exe
PID 1004 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1004 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\System32\RuntimeBroker.exe
PID 1004 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1004 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\System32\RuntimeBroker.exe
PID 1004 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1004 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Windows\System32\RuntimeBroker.exe
PID 1004 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Users\Admin\AppData\Local\Temp\e572c6f.exe
PID 1004 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\e572ac9.exe C:\Users\Admin\AppData\Local\Temp\e572c6f.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e572ac9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57499c.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fa024891a583066a90234cdde6280bb49d67dc755a5a6e8efcd22568ee264ebf.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fa024891a583066a90234cdde6280bb49d67dc755a5a6e8efcd22568ee264ebf.dll,#1

C:\Users\Admin\AppData\Local\Temp\e572ac9.exe

C:\Users\Admin\AppData\Local\Temp\e572ac9.exe

C:\Users\Admin\AppData\Local\Temp\e572c6f.exe

C:\Users\Admin\AppData\Local\Temp\e572c6f.exe

C:\Users\Admin\AppData\Local\Temp\e57499c.exe

C:\Users\Admin\AppData\Local\Temp\e57499c.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 6.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/1640-0-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e572ac9.exe

MD5 05aef00abfc9d7f47b66c2aaf1e1c136
SHA1 3c1d2bd570c1c36eed565fe6577c0f132f2969c8
SHA256 9e0bbb4a54855736f361e55f3ee3460527cc9db3ea4459e3475f4d23f3aba707
SHA512 43199d4aa36f358752c0426a8efac9b2906e1a3ddf0d1cf3edc4a5ec88c46d51b5abced96da25f2fe9fd4b27154c0f816a75f9fe44fcea08b1ed6df65bdef1ca

memory/1004-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1004-6-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-8-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-11-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-12-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1640-28-0x0000000004730000-0x0000000004732000-memory.dmp

memory/1004-33-0x00000000004D0000-0x00000000004D2000-memory.dmp

memory/1004-19-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-30-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-31-0x00000000004D0000-0x00000000004D2000-memory.dmp

memory/1004-26-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1640-25-0x0000000004730000-0x0000000004732000-memory.dmp

memory/1004-24-0x0000000000600000-0x0000000000601000-memory.dmp

memory/1640-22-0x00000000047C0000-0x00000000047C1000-memory.dmp

memory/1640-21-0x0000000004730000-0x0000000004732000-memory.dmp

memory/1004-18-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-20-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-10-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-35-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-36-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-37-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-38-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-39-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/8-46-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1640-47-0x0000000004730000-0x0000000004732000-memory.dmp

memory/1004-50-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-52-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-51-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1164-55-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1164-54-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1164-56-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1004-58-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-60-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-63-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-64-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-66-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-67-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-69-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-70-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-73-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-75-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-83-0x00000000004D0000-0x00000000004D2000-memory.dmp

memory/1004-78-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/1004-95-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1164-99-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 954ec04f84132b87266d9f301f58748d
SHA1 38fa45209cef7cc4d7ec0ee187deb7b80ab54cd4
SHA256 c1b343da205bc2eb2bf4ddfcb242059e446bcddf413fbb73acb77d0d61e1aad7
SHA512 cd385e67e6e823bd7197c1f7b340442d24d1840a968164036aeeb6281bb49b57e6fd86d16eee3e17eabdcfa60e55ab20c0a31a41f528bba11f5b945bd261f9e6

memory/8-119-0x0000000000880000-0x000000000193A000-memory.dmp

memory/8-121-0x0000000000400000-0x0000000000412000-memory.dmp