Malware Analysis Report

2024-09-11 12:25

Sample ID 240611-x4tx4sycnn
Target 1f1938a605ff56372c28630cb55c4a02e049b09d934ba5f04f49061554b55dd8
SHA256 1f1938a605ff56372c28630cb55c4a02e049b09d934ba5f04f49061554b55dd8
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f1938a605ff56372c28630cb55c4a02e049b09d934ba5f04f49061554b55dd8

Threat Level: Known bad

The file 1f1938a605ff56372c28630cb55c4a02e049b09d934ba5f04f49061554b55dd8 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

Windows security bypass

Sality

UAC bypass

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

Executes dropped EXE

Windows security modification

Loads dropped DLL

UPX packed file

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 19:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 19:24

Reported

2024-06-11 19:27

Platform

win10v2004-20240508-en

Max time kernel

52s

Max time network

51s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5743b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
File created C:\Windows\e57acf9 C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A
File created C:\Windows\e574304 C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1172 wrote to memory of 468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1172 wrote to memory of 468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1172 wrote to memory of 468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 468 wrote to memory of 4304 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5742b6.exe
PID 468 wrote to memory of 4304 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5742b6.exe
PID 468 wrote to memory of 4304 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5742b6.exe
PID 4304 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\system32\fontdrvhost.exe
PID 4304 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\system32\fontdrvhost.exe
PID 4304 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\system32\dwm.exe
PID 4304 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\system32\sihost.exe
PID 4304 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\system32\svchost.exe
PID 4304 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\system32\taskhostw.exe
PID 4304 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\Explorer.EXE
PID 4304 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\system32\svchost.exe
PID 4304 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\system32\DllHost.exe
PID 4304 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4304 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\System32\RuntimeBroker.exe
PID 4304 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4304 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\System32\RuntimeBroker.exe
PID 4304 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\System32\RuntimeBroker.exe
PID 4304 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4304 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4304 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\system32\rundll32.exe
PID 4304 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\SysWOW64\rundll32.exe
PID 4304 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\SysWOW64\rundll32.exe
PID 468 wrote to memory of 732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5743b0.exe
PID 468 wrote to memory of 732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5743b0.exe
PID 468 wrote to memory of 732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5743b0.exe
PID 468 wrote to memory of 4020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575e6c.exe
PID 468 wrote to memory of 4020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575e6c.exe
PID 468 wrote to memory of 4020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575e6c.exe
PID 4304 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\system32\fontdrvhost.exe
PID 4304 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\system32\fontdrvhost.exe
PID 4304 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\system32\dwm.exe
PID 4304 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\system32\sihost.exe
PID 4304 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\system32\svchost.exe
PID 4304 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\system32\taskhostw.exe
PID 4304 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\Explorer.EXE
PID 4304 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\system32\svchost.exe
PID 4304 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\system32\DllHost.exe
PID 4304 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4304 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\System32\RuntimeBroker.exe
PID 4304 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4304 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\System32\RuntimeBroker.exe
PID 4304 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\System32\RuntimeBroker.exe
PID 4304 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4304 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Users\Admin\AppData\Local\Temp\e5743b0.exe
PID 4304 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Users\Admin\AppData\Local\Temp\e5743b0.exe
PID 4304 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\System32\RuntimeBroker.exe
PID 4304 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Windows\System32\RuntimeBroker.exe
PID 4304 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Users\Admin\AppData\Local\Temp\e575e6c.exe
PID 4304 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\e5742b6.exe C:\Users\Admin\AppData\Local\Temp\e575e6c.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5742b6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575e6c.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f1938a605ff56372c28630cb55c4a02e049b09d934ba5f04f49061554b55dd8.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f1938a605ff56372c28630cb55c4a02e049b09d934ba5f04f49061554b55dd8.dll,#1

C:\Users\Admin\AppData\Local\Temp\e5742b6.exe

C:\Users\Admin\AppData\Local\Temp\e5742b6.exe

C:\Users\Admin\AppData\Local\Temp\e5743b0.exe

C:\Users\Admin\AppData\Local\Temp\e5743b0.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e575e6c.exe

C:\Users\Admin\AppData\Local\Temp\e575e6c.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\e5742b6.exe

MD5 e7c30f603212e22fb89b1d45e5e9675a
SHA1 55114fe2835b6e84457bac6df39c17899ce87cee
SHA256 fb2eaaba5e9989387b8b46b24c230712e8465ec8770f458e0a2d44823b9cf47e
SHA512 b82147139f00988163f5db4f747f16113a396508be17dd358ea1bd908a921d3ee024282140550dd3f93f2a38d53c66df852a021ca088a484bbda5ab0980c144c

memory/468-3-0x0000000010000000-0x0000000010020000-memory.dmp

memory/4304-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4304-9-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/468-27-0x0000000004010000-0x0000000004012000-memory.dmp

memory/4304-24-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/732-34-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4304-28-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-33-0x0000000001BB0000-0x0000000001BB2000-memory.dmp

memory/4304-32-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-35-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-11-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-29-0x0000000001BB0000-0x0000000001BB2000-memory.dmp

memory/4304-10-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/468-16-0x0000000004010000-0x0000000004012000-memory.dmp

memory/4304-15-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

memory/468-12-0x0000000004010000-0x0000000004012000-memory.dmp

memory/468-26-0x00000000044E0000-0x00000000044E1000-memory.dmp

memory/4304-25-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-6-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-8-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-36-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-37-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-38-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-39-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-40-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-41-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-43-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-44-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-52-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-54-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-55-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4020-64-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/732-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4020-62-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/4020-61-0x0000000000570000-0x0000000000571000-memory.dmp

memory/732-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/732-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4304-65-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-66-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-70-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-71-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-73-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-74-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-75-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-77-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-79-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-81-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-82-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-85-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4304-102-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4304-93-0x0000000001BB0000-0x0000000001BB2000-memory.dmp

memory/732-106-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4020-117-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 f6cef88e12352bc1dd8462463b7330dc
SHA1 228b101c13d945d46c9f41accad19b64cce3997f
SHA256 687ad12632eeee114306efef41a33375c5dab197f8b76844fccdb51fb1ac94a2
SHA512 e5f07dc6b5e4535b9cde925179e0b8025af0b7a2e756f053f65436e1e5d7001e7529a78e52a6e936e8608d58cf63fbe4bdf72b9453fb8b71f9410ebc67ab3a9c

memory/4020-115-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 19:24

Reported

2024-06-11 19:27

Platform

win7-20240419-en

Max time kernel

122s

Max time network

123s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f760c8e C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
File created C:\Windows\f765cef C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 2264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1340 wrote to memory of 2264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1340 wrote to memory of 2264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1340 wrote to memory of 2264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1340 wrote to memory of 2264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1340 wrote to memory of 2264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1340 wrote to memory of 2264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 2132 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760c31.exe
PID 2264 wrote to memory of 2132 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760c31.exe
PID 2264 wrote to memory of 2132 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760c31.exe
PID 2264 wrote to memory of 2132 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760c31.exe
PID 2132 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe C:\Windows\system32\taskhost.exe
PID 2132 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe C:\Windows\system32\Dwm.exe
PID 2132 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe C:\Windows\Explorer.EXE
PID 2132 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe C:\Windows\system32\DllHost.exe
PID 2132 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe C:\Windows\system32\rundll32.exe
PID 2132 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe C:\Windows\SysWOW64\rundll32.exe
PID 2132 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 2700 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760dd6.exe
PID 2264 wrote to memory of 2700 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760dd6.exe
PID 2264 wrote to memory of 2700 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760dd6.exe
PID 2264 wrote to memory of 2700 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760dd6.exe
PID 2264 wrote to memory of 1988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7627db.exe
PID 2264 wrote to memory of 1988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7627db.exe
PID 2264 wrote to memory of 1988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7627db.exe
PID 2264 wrote to memory of 1988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7627db.exe
PID 2132 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe C:\Windows\system32\taskhost.exe
PID 2132 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe C:\Windows\system32\Dwm.exe
PID 2132 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe C:\Windows\Explorer.EXE
PID 2132 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe C:\Users\Admin\AppData\Local\Temp\f760dd6.exe
PID 2132 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe C:\Users\Admin\AppData\Local\Temp\f760dd6.exe
PID 2132 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe C:\Users\Admin\AppData\Local\Temp\f7627db.exe
PID 2132 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\f760c31.exe C:\Users\Admin\AppData\Local\Temp\f7627db.exe
PID 1988 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe C:\Windows\system32\taskhost.exe
PID 1988 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe C:\Windows\system32\Dwm.exe
PID 1988 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f7627db.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760c31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7627db.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f1938a605ff56372c28630cb55c4a02e049b09d934ba5f04f49061554b55dd8.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f1938a605ff56372c28630cb55c4a02e049b09d934ba5f04f49061554b55dd8.dll,#1

C:\Users\Admin\AppData\Local\Temp\f760c31.exe

C:\Users\Admin\AppData\Local\Temp\f760c31.exe

C:\Users\Admin\AppData\Local\Temp\f760dd6.exe

C:\Users\Admin\AppData\Local\Temp\f760dd6.exe

C:\Users\Admin\AppData\Local\Temp\f7627db.exe

C:\Users\Admin\AppData\Local\Temp\f7627db.exe

Network

N/A

Files

memory/2264-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f760c31.exe

MD5 e7c30f603212e22fb89b1d45e5e9675a
SHA1 55114fe2835b6e84457bac6df39c17899ce87cee
SHA256 fb2eaaba5e9989387b8b46b24c230712e8465ec8770f458e0a2d44823b9cf47e
SHA512 b82147139f00988163f5db4f747f16113a396508be17dd358ea1bd908a921d3ee024282140550dd3f93f2a38d53c66df852a021ca088a484bbda5ab0980c144c

memory/2132-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2264-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2264-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2132-13-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2132-19-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2132-21-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2132-16-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2132-15-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2132-22-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2264-38-0x00000000002A0000-0x00000000002A2000-memory.dmp

memory/2132-51-0x00000000005A0000-0x00000000005A2000-memory.dmp

memory/2132-52-0x00000000005A0000-0x00000000005A2000-memory.dmp

memory/2132-49-0x0000000002F50000-0x0000000002F51000-memory.dmp

memory/2264-48-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2264-39-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1116-29-0x0000000001F10000-0x0000000001F12000-memory.dmp

memory/2132-17-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2132-23-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2132-20-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2132-18-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2700-64-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2264-63-0x00000000002A0000-0x00000000002A2000-memory.dmp

memory/2264-62-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2264-61-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2264-60-0x00000000002A0000-0x00000000002A2000-memory.dmp

memory/2132-66-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2132-65-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2132-67-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2132-69-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2132-68-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2132-71-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2132-72-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2132-84-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2132-86-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2132-88-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/1988-107-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2700-106-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1988-105-0x0000000000370000-0x0000000000371000-memory.dmp

memory/1988-104-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2700-100-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2700-99-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2132-114-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2132-127-0x00000000005A0000-0x00000000005A2000-memory.dmp

memory/2132-157-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2132-158-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 10f3dc21d088749bc2ce497cc086fc92
SHA1 deb951f0250a07be83d5d7e60cd1eb55b2b48772
SHA256 8977f763a8f8bc237fe0b1c8d5a0452672c14c4191ec2b6d501f578373b568c9
SHA512 1dc625e9d25e21a9534282832842925e2e1f3bc9b6479dc6ffcae089fa9426a5602f3dad21e8325893d82bcbb710b14bae6b5e6c49e0d4f69959e1ea8881ebff

memory/1988-175-0x0000000000930000-0x00000000019EA000-memory.dmp

memory/2700-185-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1988-212-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1988-213-0x0000000000930000-0x00000000019EA000-memory.dmp