Malware Analysis Report

2024-09-11 12:58

Sample ID 240612-bwjxaaxfqj
Target 98d6b05fae8691dbb012eee71e667a20427035d0dc53e14308f7cc8fb58f9f8d
SHA256 98d6b05fae8691dbb012eee71e667a20427035d0dc53e14308f7cc8fb58f9f8d
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

98d6b05fae8691dbb012eee71e667a20427035d0dc53e14308f7cc8fb58f9f8d

Threat Level: Known bad

The file 98d6b05fae8691dbb012eee71e667a20427035d0dc53e14308f7cc8fb58f9f8d was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

UAC bypass

Sality

Windows security bypass

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Executes dropped EXE

Loads dropped DLL

Windows security modification

UPX packed file

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-12 01:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 01:29

Reported

2024-06-12 01:32

Platform

win7-20240508-en

Max time kernel

117s

Max time network

120s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763b3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f763a04 C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
File created C:\Windows\f768a17 C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2844 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2844 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2844 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2844 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2844 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2844 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2236 wrote to memory of 1724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7639a6.exe
PID 2236 wrote to memory of 1724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7639a6.exe
PID 2236 wrote to memory of 1724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7639a6.exe
PID 2236 wrote to memory of 1724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7639a6.exe
PID 1724 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe C:\Windows\system32\taskhost.exe
PID 1724 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe C:\Windows\system32\Dwm.exe
PID 1724 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe C:\Windows\Explorer.EXE
PID 1724 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe C:\Windows\system32\DllHost.exe
PID 1724 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe C:\Windows\system32\rundll32.exe
PID 1724 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe C:\Windows\SysWOW64\rundll32.exe
PID 2236 wrote to memory of 2652 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763b3c.exe
PID 2236 wrote to memory of 2652 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763b3c.exe
PID 2236 wrote to memory of 2652 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763b3c.exe
PID 2236 wrote to memory of 2652 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763b3c.exe
PID 2236 wrote to memory of 1600 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f765532.exe
PID 2236 wrote to memory of 1600 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f765532.exe
PID 2236 wrote to memory of 1600 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f765532.exe
PID 2236 wrote to memory of 1600 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f765532.exe
PID 1724 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe C:\Windows\system32\taskhost.exe
PID 1724 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe C:\Windows\system32\Dwm.exe
PID 1724 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe C:\Windows\Explorer.EXE
PID 1724 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe C:\Users\Admin\AppData\Local\Temp\f763b3c.exe
PID 1724 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe C:\Users\Admin\AppData\Local\Temp\f763b3c.exe
PID 1724 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe C:\Users\Admin\AppData\Local\Temp\f765532.exe
PID 1724 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\f7639a6.exe C:\Users\Admin\AppData\Local\Temp\f765532.exe
PID 1600 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe C:\Windows\system32\taskhost.exe
PID 1600 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe C:\Windows\system32\Dwm.exe
PID 1600 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\f765532.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7639a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f765532.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\98d6b05fae8691dbb012eee71e667a20427035d0dc53e14308f7cc8fb58f9f8d.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\98d6b05fae8691dbb012eee71e667a20427035d0dc53e14308f7cc8fb58f9f8d.dll,#1

C:\Users\Admin\AppData\Local\Temp\f7639a6.exe

C:\Users\Admin\AppData\Local\Temp\f7639a6.exe

C:\Users\Admin\AppData\Local\Temp\f763b3c.exe

C:\Users\Admin\AppData\Local\Temp\f763b3c.exe

C:\Users\Admin\AppData\Local\Temp\f765532.exe

C:\Users\Admin\AppData\Local\Temp\f765532.exe

Network

N/A

Files

memory/2236-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f7639a6.exe

MD5 214b707a94598d2753ce9e9d50101664
SHA1 111a70e5343957754d041eaf6bba25e6329524d8
SHA256 47079d3a4cac43a64956b1253fa451cd78e35870b50468d5d6fa9b7c13ac21e9
SHA512 0e73474f94d10abd4ea78f0dd17e03398533905fc9c03d9fa49610ef3cf7ac481dfa19c4f093b6ba9a54e901b9e8ed493016b2e479cb61c8fc35ab419f1be6cf

memory/2236-11-0x0000000000130000-0x0000000000142000-memory.dmp

memory/1724-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2236-9-0x0000000000130000-0x0000000000142000-memory.dmp

memory/1724-17-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/1724-14-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/1724-23-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/1724-21-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/1724-18-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/1724-20-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/1724-50-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/1724-48-0x0000000000520000-0x0000000000521000-memory.dmp

memory/2236-47-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1724-19-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/2652-62-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2236-61-0x0000000000160000-0x0000000000162000-memory.dmp

memory/2236-60-0x00000000001C0000-0x00000000001D2000-memory.dmp

memory/1724-59-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2236-38-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2236-37-0x0000000000160000-0x0000000000162000-memory.dmp

memory/1104-29-0x0000000000450000-0x0000000000452000-memory.dmp

memory/1724-15-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/1724-22-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/2236-57-0x0000000000160000-0x0000000000162000-memory.dmp

memory/1724-16-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/1724-63-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/1724-64-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/1724-65-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/1724-66-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/1724-67-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/1724-69-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/1724-70-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/1600-83-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2236-81-0x0000000000130000-0x0000000000132000-memory.dmp

memory/2236-78-0x0000000000160000-0x0000000000162000-memory.dmp

memory/1724-85-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/1724-87-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/1724-88-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/2652-105-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1600-106-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1600-104-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1600-103-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1724-107-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/1724-108-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/2652-98-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2652-97-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1724-121-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/1724-150-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/2652-155-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1724-151-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 c717fbf1bbe425a826616bc5e4ada800
SHA1 121453b70e1ba6b4ea15ceee2db37213766ea696
SHA256 508261daafe36f85487039bb311dbc5024ec74b4e0147ffe608a5fe70dc07c54
SHA512 8db703642320696340714573bf99811238b1db6914586ba9ff790a35c7c451db59bd003bf231766c15d3421d812b7219a8c1ab5b5b19658ac2300cb4a1801846

memory/1600-163-0x0000000000950000-0x0000000001A0A000-memory.dmp

memory/1600-206-0x0000000000950000-0x0000000001A0A000-memory.dmp

memory/1600-205-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 01:29

Reported

2024-06-12 01:32

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

155s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57a604.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e578a5e C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
File created C:\Windows\e57f4b0 C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4512 wrote to memory of 3104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4512 wrote to memory of 3104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4512 wrote to memory of 3104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3104 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e578a1f.exe
PID 3104 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e578a1f.exe
PID 3104 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e578a1f.exe
PID 2596 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\system32\fontdrvhost.exe
PID 2596 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\system32\fontdrvhost.exe
PID 2596 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\system32\dwm.exe
PID 2596 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\system32\sihost.exe
PID 2596 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\system32\taskhostw.exe
PID 2596 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\Explorer.EXE
PID 2596 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\system32\DllHost.exe
PID 2596 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2596 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\System32\RuntimeBroker.exe
PID 2596 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2596 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\System32\RuntimeBroker.exe
PID 2596 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\System32\RuntimeBroker.exe
PID 2596 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2596 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2596 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\system32\rundll32.exe
PID 2596 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\SysWOW64\rundll32.exe
PID 3104 wrote to memory of 4468 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e578b96.exe
PID 3104 wrote to memory of 4468 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e578b96.exe
PID 3104 wrote to memory of 4468 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e578b96.exe
PID 3104 wrote to memory of 1996 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57a604.exe
PID 3104 wrote to memory of 1996 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57a604.exe
PID 3104 wrote to memory of 1996 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57a604.exe
PID 3104 wrote to memory of 1888 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57a613.exe
PID 3104 wrote to memory of 1888 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57a613.exe
PID 3104 wrote to memory of 1888 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57a613.exe
PID 2596 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\system32\fontdrvhost.exe
PID 2596 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\system32\fontdrvhost.exe
PID 2596 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\system32\dwm.exe
PID 2596 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\system32\sihost.exe
PID 2596 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\system32\taskhostw.exe
PID 2596 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\Explorer.EXE
PID 2596 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\system32\DllHost.exe
PID 2596 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2596 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\System32\RuntimeBroker.exe
PID 2596 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2596 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\System32\RuntimeBroker.exe
PID 2596 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\System32\RuntimeBroker.exe
PID 2596 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2596 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Users\Admin\AppData\Local\Temp\e578b96.exe
PID 2596 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Users\Admin\AppData\Local\Temp\e578b96.exe
PID 2596 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\System32\RuntimeBroker.exe
PID 2596 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Windows\System32\RuntimeBroker.exe
PID 2596 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Users\Admin\AppData\Local\Temp\e57a604.exe
PID 2596 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Users\Admin\AppData\Local\Temp\e57a604.exe
PID 2596 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Users\Admin\AppData\Local\Temp\e57a613.exe
PID 2596 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\e578a1f.exe C:\Users\Admin\AppData\Local\Temp\e57a613.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57a613.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e578a1f.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\98d6b05fae8691dbb012eee71e667a20427035d0dc53e14308f7cc8fb58f9f8d.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\98d6b05fae8691dbb012eee71e667a20427035d0dc53e14308f7cc8fb58f9f8d.dll,#1

C:\Users\Admin\AppData\Local\Temp\e578a1f.exe

C:\Users\Admin\AppData\Local\Temp\e578a1f.exe

C:\Users\Admin\AppData\Local\Temp\e578b96.exe

C:\Users\Admin\AppData\Local\Temp\e578b96.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e57a604.exe

C:\Users\Admin\AppData\Local\Temp\e57a604.exe

C:\Users\Admin\AppData\Local\Temp\e57a613.exe

C:\Users\Admin\AppData\Local\Temp\e57a613.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3104-4-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2596-5-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e578a1f.exe

MD5 214b707a94598d2753ce9e9d50101664
SHA1 111a70e5343957754d041eaf6bba25e6329524d8
SHA256 47079d3a4cac43a64956b1253fa451cd78e35870b50468d5d6fa9b7c13ac21e9
SHA512 0e73474f94d10abd4ea78f0dd17e03398533905fc9c03d9fa49610ef3cf7ac481dfa19c4f093b6ba9a54e901b9e8ed493016b2e479cb61c8fc35ab419f1be6cf

memory/2596-6-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-8-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-12-0x0000000000780000-0x000000000183A000-memory.dmp

memory/3104-13-0x0000000000DD0000-0x0000000000DD2000-memory.dmp

memory/2596-17-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-28-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-29-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-18-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4468-34-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2596-33-0x0000000000670000-0x0000000000672000-memory.dmp

memory/3104-32-0x0000000000770000-0x0000000000784000-memory.dmp

memory/3104-19-0x0000000000DD0000-0x0000000000DD2000-memory.dmp

memory/2596-11-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-10-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-22-0x0000000000670000-0x0000000000672000-memory.dmp

memory/3104-14-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

memory/2596-9-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-16-0x0000000003D30000-0x0000000003D31000-memory.dmp

memory/2596-35-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-36-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-37-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-38-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-39-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-40-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-42-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-43-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1888-57-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3104-55-0x0000000000770000-0x0000000000784000-memory.dmp

memory/1996-53-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3104-50-0x0000000000DD0000-0x0000000000DD2000-memory.dmp

memory/2596-58-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-60-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-61-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1888-74-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1996-73-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4468-72-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/1888-70-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1888-71-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1996-68-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1996-67-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4468-65-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/4468-64-0x0000000000570000-0x0000000000571000-memory.dmp

memory/2596-75-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-76-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-80-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-81-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-85-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-87-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-89-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-90-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-91-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-103-0x0000000000670000-0x0000000000672000-memory.dmp

memory/2596-95-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2596-112-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4468-116-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1996-120-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 8c7825ae8a557ec97698fa2991ad7281
SHA1 28b8c5ca37579d3512ac99a077ff30f214b27731
SHA256 85ac5aab909d58f38db205ddebfbc2e1c17ef4f1944cc049de78e6fc5deda1ba
SHA512 b7b0bb002190a21449210609f7796fb7f69261ab4d194d1a380f8ce695d1aeee3d8ac12bbaf0462376ff62b6e00f25087705c99ac9b44b62b3a64f50de6d36c5

memory/1888-145-0x0000000000B70000-0x0000000001C2A000-memory.dmp

memory/1888-144-0x0000000000400000-0x0000000000412000-memory.dmp