Malware Analysis Report

2024-09-11 12:22

Sample ID 240613-219llsxhqr
Target 56935daf13862757bd7ceb27f0067dcf0c6005daa9c2f41f555be555b9aa8004
SHA256 56935daf13862757bd7ceb27f0067dcf0c6005daa9c2f41f555be555b9aa8004
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

56935daf13862757bd7ceb27f0067dcf0c6005daa9c2f41f555be555b9aa8004

Threat Level: Known bad

The file 56935daf13862757bd7ceb27f0067dcf0c6005daa9c2f41f555be555b9aa8004 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

Windows security bypass

UAC bypass

Modifies firewall policy service

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 23:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 23:04

Reported

2024-06-13 23:06

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761af0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f761890 C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
File created C:\Windows\f766a09 C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1616 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1616 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1616 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1616 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1616 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1616 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2004 wrote to memory of 2228 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761822.exe
PID 2004 wrote to memory of 2228 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761822.exe
PID 2004 wrote to memory of 2228 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761822.exe
PID 2004 wrote to memory of 2228 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761822.exe
PID 2228 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe C:\Windows\system32\taskhost.exe
PID 2228 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe C:\Windows\system32\Dwm.exe
PID 2228 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe C:\Windows\Explorer.EXE
PID 2228 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe C:\Windows\system32\DllHost.exe
PID 2228 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe C:\Windows\system32\rundll32.exe
PID 2228 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe C:\Windows\SysWOW64\rundll32.exe
PID 2228 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe C:\Windows\SysWOW64\rundll32.exe
PID 2004 wrote to memory of 2656 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761af0.exe
PID 2004 wrote to memory of 2656 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761af0.exe
PID 2004 wrote to memory of 2656 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761af0.exe
PID 2004 wrote to memory of 2656 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761af0.exe
PID 2004 wrote to memory of 2192 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7633dc.exe
PID 2004 wrote to memory of 2192 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7633dc.exe
PID 2004 wrote to memory of 2192 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7633dc.exe
PID 2004 wrote to memory of 2192 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7633dc.exe
PID 2228 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe C:\Windows\system32\taskhost.exe
PID 2228 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe C:\Windows\system32\Dwm.exe
PID 2228 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe C:\Windows\Explorer.EXE
PID 2228 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe C:\Users\Admin\AppData\Local\Temp\f761af0.exe
PID 2228 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe C:\Users\Admin\AppData\Local\Temp\f761af0.exe
PID 2228 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe C:\Users\Admin\AppData\Local\Temp\f7633dc.exe
PID 2228 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\f761822.exe C:\Users\Admin\AppData\Local\Temp\f7633dc.exe
PID 2192 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe C:\Windows\system32\taskhost.exe
PID 2192 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe C:\Windows\system32\Dwm.exe
PID 2192 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761822.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\56935daf13862757bd7ceb27f0067dcf0c6005daa9c2f41f555be555b9aa8004.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\56935daf13862757bd7ceb27f0067dcf0c6005daa9c2f41f555be555b9aa8004.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761822.exe

C:\Users\Admin\AppData\Local\Temp\f761822.exe

C:\Users\Admin\AppData\Local\Temp\f761af0.exe

C:\Users\Admin\AppData\Local\Temp\f761af0.exe

C:\Users\Admin\AppData\Local\Temp\f7633dc.exe

C:\Users\Admin\AppData\Local\Temp\f7633dc.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\f761822.exe

MD5 c0fec899bf0294a7da41ba4821cd1757
SHA1 06db9c0f90aca71880deb5a6e3ea11d0dd6606be
SHA256 00a7c65560f97b1fff8d1d80ae8142cc59360b0138bd77ecc92e09e49e6f24a7
SHA512 ba9961b6d07b4e7d5b5e341207a5465b0cedc508d483faf6c545f85c75d3445cb5ffb2780e7699fd8952c3350804cfada23f77c54bafba5625ad42207bef9db3

memory/2228-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2004-10-0x0000000000170000-0x0000000000182000-memory.dmp

memory/2004-9-0x0000000000170000-0x0000000000182000-memory.dmp

memory/2004-8-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2228-17-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2228-14-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2228-12-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2228-18-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2228-16-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2228-15-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2228-21-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2228-19-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2228-22-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2228-20-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1068-28-0x0000000000210000-0x0000000000212000-memory.dmp

memory/2228-46-0x00000000004A0000-0x00000000004A2000-memory.dmp

memory/2228-45-0x0000000002F10000-0x0000000002F11000-memory.dmp

memory/2004-39-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2004-38-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2004-37-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2004-56-0x0000000000350000-0x0000000000362000-memory.dmp

memory/2656-59-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2004-57-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2228-55-0x00000000004A0000-0x00000000004A2000-memory.dmp

memory/2004-54-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2228-60-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2228-61-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2228-62-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2228-64-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2228-63-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2228-66-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2228-67-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2004-79-0x0000000000170000-0x0000000000182000-memory.dmp

memory/2192-80-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2228-81-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2228-83-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2228-85-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2228-87-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2228-88-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2192-102-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2192-101-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2656-97-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2656-96-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2656-103-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2192-104-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2228-123-0x00000000004A0000-0x00000000004A2000-memory.dmp

memory/2228-151-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2228-152-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2656-156-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 25539bf7cfbc01df936e86a70ed7f785
SHA1 eed22c4d8dc1a11fe3094e9a5797228c0ea64e0e
SHA256 799be4e49a321264ddde26667fa38f7b216dbd1d80b4ed82ad64d3b74b7d6402
SHA512 56a883ae691dade050689f645f1d2b0b7485a65a68b57d8beb8fac563c30112be37724c7f51c8508128123468534cccfdfda971b58e9fa98887205538c04410f

memory/2192-173-0x0000000000990000-0x0000000001A4A000-memory.dmp

memory/2192-204-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2192-205-0x0000000000990000-0x0000000001A4A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 23:04

Reported

2024-06-13 23:06

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

62s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574517.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57441d C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
File created C:\Windows\e57b4e8 C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 4964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4900 wrote to memory of 4964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4900 wrote to memory of 4964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4964 wrote to memory of 1120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5743df.exe
PID 4964 wrote to memory of 1120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5743df.exe
PID 4964 wrote to memory of 1120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5743df.exe
PID 1120 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\system32\fontdrvhost.exe
PID 1120 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\system32\fontdrvhost.exe
PID 1120 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\system32\dwm.exe
PID 1120 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\system32\sihost.exe
PID 1120 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\system32\svchost.exe
PID 1120 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\system32\taskhostw.exe
PID 1120 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\system32\svchost.exe
PID 1120 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\system32\DllHost.exe
PID 1120 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1120 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\System32\RuntimeBroker.exe
PID 1120 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1120 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\System32\RuntimeBroker.exe
PID 1120 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\System32\RuntimeBroker.exe
PID 1120 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1120 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\system32\rundll32.exe
PID 1120 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\SysWOW64\rundll32.exe
PID 1120 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\SysWOW64\rundll32.exe
PID 4964 wrote to memory of 4204 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574517.exe
PID 4964 wrote to memory of 4204 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574517.exe
PID 4964 wrote to memory of 4204 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574517.exe
PID 4964 wrote to memory of 1740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57664b.exe
PID 4964 wrote to memory of 1740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57664b.exe
PID 4964 wrote to memory of 1740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57664b.exe
PID 1120 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\system32\fontdrvhost.exe
PID 1120 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\system32\fontdrvhost.exe
PID 1120 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\system32\dwm.exe
PID 1120 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\system32\sihost.exe
PID 1120 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\system32\svchost.exe
PID 1120 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\system32\taskhostw.exe
PID 1120 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\Explorer.EXE
PID 1120 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\system32\svchost.exe
PID 1120 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\system32\DllHost.exe
PID 1120 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1120 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\System32\RuntimeBroker.exe
PID 1120 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1120 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\System32\RuntimeBroker.exe
PID 1120 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\System32\RuntimeBroker.exe
PID 1120 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1120 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Users\Admin\AppData\Local\Temp\e574517.exe
PID 1120 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Users\Admin\AppData\Local\Temp\e574517.exe
PID 1120 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Users\Admin\AppData\Local\Temp\e57664b.exe
PID 1120 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\e5743df.exe C:\Users\Admin\AppData\Local\Temp\e57664b.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5743df.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57664b.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\56935daf13862757bd7ceb27f0067dcf0c6005daa9c2f41f555be555b9aa8004.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\56935daf13862757bd7ceb27f0067dcf0c6005daa9c2f41f555be555b9aa8004.dll,#1

C:\Users\Admin\AppData\Local\Temp\e5743df.exe

C:\Users\Admin\AppData\Local\Temp\e5743df.exe

C:\Users\Admin\AppData\Local\Temp\e574517.exe

C:\Users\Admin\AppData\Local\Temp\e574517.exe

C:\Users\Admin\AppData\Local\Temp\e57664b.exe

C:\Users\Admin\AppData\Local\Temp\e57664b.exe

Network

Files

memory/4964-2-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5743df.exe

MD5 c0fec899bf0294a7da41ba4821cd1757
SHA1 06db9c0f90aca71880deb5a6e3ea11d0dd6606be
SHA256 00a7c65560f97b1fff8d1d80ae8142cc59360b0138bd77ecc92e09e49e6f24a7
SHA512 ba9961b6d07b4e7d5b5e341207a5465b0cedc508d483faf6c545f85c75d3445cb5ffb2780e7699fd8952c3350804cfada23f77c54bafba5625ad42207bef9db3

memory/1120-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1120-19-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-14-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-11-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-18-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-26-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-30-0x00000000004D0000-0x00000000004D2000-memory.dmp

memory/1120-27-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-32-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/4204-34-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4964-29-0x0000000003A90000-0x0000000003A92000-memory.dmp

memory/1120-23-0x0000000000680000-0x0000000000681000-memory.dmp

memory/1120-28-0x00000000004D0000-0x00000000004D2000-memory.dmp

memory/4964-21-0x0000000003FE0000-0x0000000003FE1000-memory.dmp

memory/1120-10-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-9-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/4964-24-0x0000000003A90000-0x0000000003A92000-memory.dmp

memory/4964-20-0x0000000003A90000-0x0000000003A92000-memory.dmp

memory/1120-6-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-36-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-37-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-38-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-39-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-40-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/4964-46-0x0000000003A90000-0x0000000003A92000-memory.dmp

memory/1120-42-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-50-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1740-56-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4204-55-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1740-54-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1740-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4204-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4204-52-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1120-59-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-61-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-63-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-64-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-65-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-68-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-71-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-73-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-74-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-95-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-96-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1120-90-0x00000000008A0000-0x000000000195A000-memory.dmp

memory/1120-83-0x00000000004D0000-0x00000000004D2000-memory.dmp

memory/4204-100-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 1a050c8780a244ebfab5f48cbf1940e5
SHA1 d451306462ac25ff19803d68bd047440ffe0d5da
SHA256 7fa3737f79807859a99adbd1ff9d29c4ebb8691842388b83f23733a302119779
SHA512 da2b728d7b8c559c538a176d32acce9d39bd4a6d4dac0a04e66054a2f2068e169f2bcfe87d2d569c43ba99a5a7fa442054e1d803de12951f897a7f48dbc334df

memory/1740-119-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/1740-121-0x0000000000400000-0x0000000000412000-memory.dmp