Malware Analysis Report

2024-09-11 12:21

Sample ID 240614-d8bgsatflb
Target c20a928da031aba8f6b10f7cd62f86eb3f70e479cb37223dc8108eb5a24d7e56
SHA256 c20a928da031aba8f6b10f7cd62f86eb3f70e479cb37223dc8108eb5a24d7e56
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c20a928da031aba8f6b10f7cd62f86eb3f70e479cb37223dc8108eb5a24d7e56

Threat Level: Known bad

The file c20a928da031aba8f6b10f7cd62f86eb3f70e479cb37223dc8108eb5a24d7e56 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Windows security bypass

Modifies firewall policy service

Sality

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Windows security modification

Executes dropped EXE

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 03:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 03:40

Reported

2024-06-14 03:43

Platform

win7-20240611-en

Max time kernel

117s

Max time network

129s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f769147.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f767b86 C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
File created C:\Windows\f76cb89 C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1768 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1768 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1768 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1768 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1768 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1768 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1768 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 2556 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767a9c.exe
PID 2280 wrote to memory of 2556 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767a9c.exe
PID 2280 wrote to memory of 2556 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767a9c.exe
PID 2280 wrote to memory of 2556 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767a9c.exe
PID 2556 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe C:\Windows\system32\taskhost.exe
PID 2556 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe C:\Windows\system32\Dwm.exe
PID 2556 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe C:\Windows\system32\DllHost.exe
PID 2556 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe C:\Windows\system32\rundll32.exe
PID 2556 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 2836 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767cfd.exe
PID 2280 wrote to memory of 2836 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767cfd.exe
PID 2280 wrote to memory of 2836 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767cfd.exe
PID 2280 wrote to memory of 2836 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767cfd.exe
PID 2280 wrote to memory of 2104 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769147.exe
PID 2280 wrote to memory of 2104 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769147.exe
PID 2280 wrote to memory of 2104 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769147.exe
PID 2280 wrote to memory of 2104 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769147.exe
PID 2556 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe C:\Windows\system32\taskhost.exe
PID 2556 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe C:\Windows\system32\Dwm.exe
PID 2556 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe C:\Windows\Explorer.EXE
PID 2556 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe C:\Users\Admin\AppData\Local\Temp\f767cfd.exe
PID 2556 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe C:\Users\Admin\AppData\Local\Temp\f767cfd.exe
PID 2556 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe C:\Users\Admin\AppData\Local\Temp\f769147.exe
PID 2556 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\f767a9c.exe C:\Users\Admin\AppData\Local\Temp\f769147.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767a9c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767cfd.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c20a928da031aba8f6b10f7cd62f86eb3f70e479cb37223dc8108eb5a24d7e56.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c20a928da031aba8f6b10f7cd62f86eb3f70e479cb37223dc8108eb5a24d7e56.dll,#1

C:\Users\Admin\AppData\Local\Temp\f767a9c.exe

C:\Users\Admin\AppData\Local\Temp\f767a9c.exe

C:\Users\Admin\AppData\Local\Temp\f767cfd.exe

C:\Users\Admin\AppData\Local\Temp\f767cfd.exe

C:\Users\Admin\AppData\Local\Temp\f769147.exe

C:\Users\Admin\AppData\Local\Temp\f769147.exe

Network

N/A

Files

memory/2280-3-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2280-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f767a9c.exe

MD5 91b209ae3f0359ed8c212721fe1eeab6
SHA1 3484d9ba2b828db836ddb16050a9d8f3da2f16d1
SHA256 8143d8a2c9eaa4ff0a087063c870299d5a80e3a3c205946bec9fcf3f20c1b2d6
SHA512 761b801ee9c6ae489e0106bb1489f119613fedfae6093ef7ed61cf0126fbb29903cd79a06b64bebec029c574ba08df9eeeaf4373446f88e97d7fafac51cfce30

memory/2280-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2280-27-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2556-13-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2836-58-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2556-56-0x00000000005C0000-0x00000000005C2000-memory.dmp

memory/2556-16-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2280-26-0x0000000000220000-0x0000000000222000-memory.dmp

memory/1248-20-0x0000000000310000-0x0000000000312000-memory.dmp

memory/2280-55-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2280-54-0x0000000000290000-0x00000000002A2000-memory.dmp

memory/2556-19-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2556-15-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2556-39-0x0000000001960000-0x0000000001961000-memory.dmp

memory/2280-38-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2556-14-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2556-17-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2556-35-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2556-18-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2556-37-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2556-36-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2556-49-0x00000000005C0000-0x00000000005C2000-memory.dmp

memory/2280-48-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2556-59-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2556-60-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2556-61-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2556-62-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2556-63-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2104-76-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2280-72-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2556-77-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2556-78-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2556-80-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2556-81-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2556-83-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2104-99-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2104-101-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2836-100-0x0000000000270000-0x0000000000272000-memory.dmp

memory/2104-98-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2836-93-0x0000000000270000-0x0000000000272000-memory.dmp

memory/2836-91-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2556-102-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2556-103-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2556-106-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2556-142-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2556-143-0x00000000006D0000-0x000000000178A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 95a8a09f5d449b2ece5003059d54fb1e
SHA1 eee2418e156094c6201941231c69f2847bc46605
SHA256 1ba9f606ffc3808de3ca16037914f849934bd070d0486577081f122ac0fd85d3
SHA512 5d7ad77aa0b622ff940258939a312ed4427311849a3ed0e40a1fdbe47a6e5496d943a7d8d45114fb5297728ad96381f22966340553e02df3030309e0099177da

memory/2836-162-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2836-169-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2836-168-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2104-173-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 03:40

Reported

2024-06-14 03:42

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

159s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57395f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e5737f8 C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
File created C:\Windows\e5788e7 C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3104 wrote to memory of 624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3104 wrote to memory of 624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3104 wrote to memory of 624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 624 wrote to memory of 2072 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57378b.exe
PID 624 wrote to memory of 2072 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57378b.exe
PID 624 wrote to memory of 2072 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57378b.exe
PID 2072 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\fontdrvhost.exe
PID 2072 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\fontdrvhost.exe
PID 2072 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\dwm.exe
PID 2072 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\sihost.exe
PID 2072 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\svchost.exe
PID 2072 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\taskhostw.exe
PID 2072 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\Explorer.EXE
PID 2072 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\svchost.exe
PID 2072 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\DllHost.exe
PID 2072 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2072 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\System32\RuntimeBroker.exe
PID 2072 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2072 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\System32\RuntimeBroker.exe
PID 2072 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\System32\RuntimeBroker.exe
PID 2072 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2072 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2072 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2072 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\rundll32.exe
PID 2072 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\SysWOW64\rundll32.exe
PID 2072 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\SysWOW64\rundll32.exe
PID 624 wrote to memory of 1264 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57395f.exe
PID 624 wrote to memory of 1264 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57395f.exe
PID 624 wrote to memory of 1264 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57395f.exe
PID 624 wrote to memory of 3784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5758bf.exe
PID 624 wrote to memory of 3784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5758bf.exe
PID 624 wrote to memory of 3784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5758bf.exe
PID 2072 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\fontdrvhost.exe
PID 2072 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\fontdrvhost.exe
PID 2072 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\dwm.exe
PID 2072 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\sihost.exe
PID 2072 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\svchost.exe
PID 2072 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\taskhostw.exe
PID 2072 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\Explorer.EXE
PID 2072 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\svchost.exe
PID 2072 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\DllHost.exe
PID 2072 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2072 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\System32\RuntimeBroker.exe
PID 2072 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2072 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\System32\RuntimeBroker.exe
PID 2072 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\System32\RuntimeBroker.exe
PID 2072 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2072 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2072 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Users\Admin\AppData\Local\Temp\e57395f.exe
PID 2072 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Users\Admin\AppData\Local\Temp\e57395f.exe
PID 2072 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\System32\RuntimeBroker.exe
PID 2072 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\System32\RuntimeBroker.exe
PID 2072 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Users\Admin\AppData\Local\Temp\e5758bf.exe
PID 2072 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Users\Admin\AppData\Local\Temp\e5758bf.exe
PID 2072 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\e57378b.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 3784 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e5758bf.exe C:\Windows\system32\fontdrvhost.exe
PID 3784 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e5758bf.exe C:\Windows\system32\fontdrvhost.exe
PID 3784 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e5758bf.exe C:\Windows\system32\dwm.exe
PID 3784 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\e5758bf.exe C:\Windows\system32\sihost.exe
PID 3784 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e5758bf.exe C:\Windows\system32\svchost.exe
PID 3784 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\e5758bf.exe C:\Windows\system32\taskhostw.exe
PID 3784 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\e5758bf.exe C:\Windows\Explorer.EXE
PID 3784 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\e5758bf.exe C:\Windows\system32\svchost.exe
PID 3784 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\e5758bf.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57378b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5758bf.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c20a928da031aba8f6b10f7cd62f86eb3f70e479cb37223dc8108eb5a24d7e56.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c20a928da031aba8f6b10f7cd62f86eb3f70e479cb37223dc8108eb5a24d7e56.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57378b.exe

C:\Users\Admin\AppData\Local\Temp\e57378b.exe

C:\Users\Admin\AppData\Local\Temp\e57395f.exe

C:\Users\Admin\AppData\Local\Temp\e57395f.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e5758bf.exe

C:\Users\Admin\AppData\Local\Temp\e5758bf.exe

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp

Files

memory/624-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57378b.exe

MD5 91b209ae3f0359ed8c212721fe1eeab6
SHA1 3484d9ba2b828db836ddb16050a9d8f3da2f16d1
SHA256 8143d8a2c9eaa4ff0a087063c870299d5a80e3a3c205946bec9fcf3f20c1b2d6
SHA512 761b801ee9c6ae489e0106bb1489f119613fedfae6093ef7ed61cf0126fbb29903cd79a06b64bebec029c574ba08df9eeeaf4373446f88e97d7fafac51cfce30

memory/2072-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2072-6-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-9-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-8-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-18-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-17-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-10-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-11-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-24-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/624-22-0x0000000004740000-0x0000000004741000-memory.dmp

memory/624-20-0x0000000001020000-0x0000000001022000-memory.dmp

memory/624-19-0x0000000001020000-0x0000000001022000-memory.dmp

memory/2072-31-0x00000000006B0000-0x00000000006B2000-memory.dmp

memory/624-30-0x0000000001020000-0x0000000001022000-memory.dmp

memory/2072-28-0x00000000006B0000-0x00000000006B2000-memory.dmp

memory/2072-27-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1264-34-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2072-33-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-26-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-35-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-37-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-36-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-38-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-39-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-40-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3784-49-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2072-50-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1264-55-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1264-56-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3784-54-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1264-52-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3784-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3784-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2072-59-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-60-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-62-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-63-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-65-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-67-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-69-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-72-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-73-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-75-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2072-81-0x00000000006B0000-0x00000000006B2000-memory.dmp

memory/2072-94-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1264-98-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 19fe628fb4c274bdbb4637ff1b5ade2f
SHA1 3c5db1e7cbf3ddfcfcf55a379ed9431af96f2fb9
SHA256 7d7d806707452dd11e5114abbfaecc91d16104972e129ed750ba11acb093a389
SHA512 f24aae21503beea42bc2d38febfe2eea496a3229db0f49309b01158a7eb028bf7e7765df515357d10d436f0d26d2076c16fdab15e476a3fb7814a82f08499b71

memory/3784-110-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/3784-144-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/3784-145-0x0000000000400000-0x0000000000412000-memory.dmp