Malware Analysis Report

2024-09-11 12:13

Sample ID 240617-d1b4casbkg
Target e4be10edde34395f33a125c6f104e15b856bd20ef08154ed867285234abf556a
SHA256 e4be10edde34395f33a125c6f104e15b856bd20ef08154ed867285234abf556a
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e4be10edde34395f33a125c6f104e15b856bd20ef08154ed867285234abf556a

Threat Level: Known bad

The file e4be10edde34395f33a125c6f104e15b856bd20ef08154ed867285234abf556a was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

UAC bypass

Windows security bypass

Sality

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

Loads dropped DLL

Windows security modification

Executes dropped EXE

UPX packed file

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 03:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 03:28

Reported

2024-06-17 03:30

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7641b2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f762684 C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
File created C:\Windows\f76761a C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 2560 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 2560 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 2560 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 2560 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 2560 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 2560 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 2560 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2560 wrote to memory of 2608 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762617.exe
PID 2560 wrote to memory of 2608 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762617.exe
PID 2560 wrote to memory of 2608 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762617.exe
PID 2560 wrote to memory of 2608 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762617.exe
PID 2608 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe C:\Windows\system32\Dwm.exe
PID 2608 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe C:\Windows\system32\taskhost.exe
PID 2608 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe C:\Windows\Explorer.EXE
PID 2608 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe C:\Windows\system32\DllHost.exe
PID 2608 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe C:\Windows\system32\rundll32.exe
PID 2608 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe C:\Windows\SysWOW64\rundll32.exe
PID 2608 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe C:\Windows\SysWOW64\rundll32.exe
PID 2560 wrote to memory of 2488 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7627ac.exe
PID 2560 wrote to memory of 2488 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7627ac.exe
PID 2560 wrote to memory of 2488 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7627ac.exe
PID 2560 wrote to memory of 2488 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7627ac.exe
PID 2560 wrote to memory of 2720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7641b2.exe
PID 2560 wrote to memory of 2720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7641b2.exe
PID 2560 wrote to memory of 2720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7641b2.exe
PID 2560 wrote to memory of 2720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7641b2.exe
PID 2608 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe C:\Windows\system32\Dwm.exe
PID 2608 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe C:\Windows\system32\taskhost.exe
PID 2608 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe C:\Windows\Explorer.EXE
PID 2608 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe C:\Users\Admin\AppData\Local\Temp\f7627ac.exe
PID 2608 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe C:\Users\Admin\AppData\Local\Temp\f7627ac.exe
PID 2608 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe C:\Users\Admin\AppData\Local\Temp\f7641b2.exe
PID 2608 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f762617.exe C:\Users\Admin\AppData\Local\Temp\f7641b2.exe
PID 2488 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe C:\Windows\system32\Dwm.exe
PID 2488 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe C:\Windows\system32\taskhost.exe
PID 2488 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\f7627ac.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762617.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7627ac.exe N/A

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e4be10edde34395f33a125c6f104e15b856bd20ef08154ed867285234abf556a.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e4be10edde34395f33a125c6f104e15b856bd20ef08154ed867285234abf556a.dll,#1

C:\Users\Admin\AppData\Local\Temp\f762617.exe

C:\Users\Admin\AppData\Local\Temp\f762617.exe

C:\Users\Admin\AppData\Local\Temp\f7627ac.exe

C:\Users\Admin\AppData\Local\Temp\f7627ac.exe

C:\Users\Admin\AppData\Local\Temp\f7641b2.exe

C:\Users\Admin\AppData\Local\Temp\f7641b2.exe

Network

N/A

Files

memory/2560-3-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2560-2-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2560-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2560-0-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2560-6-0x0000000000400000-0x0000000000412000-memory.dmp

\Users\Admin\AppData\Local\Temp\f762617.exe

MD5 f2e63f2506e7561b031b50994be7df85
SHA1 0147bf868c7499e496ef424c46205b2216e729ca
SHA256 279bd38945fcc8fd2b628d6df94ff088a1ab4c73aac64a5d84753d5487bf2bea
SHA512 fc45b67e80101eaf7d02df47842e7a2d7e2c272aeb00c3b3e99024b681657bddfe0aef00dc9f7f77fe79e43098b81e6721885818ec82c4e2daf1934a657c40c9

memory/2608-14-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2560-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2608-18-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2608-21-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2608-23-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2608-22-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2560-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2608-59-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/2608-60-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/2560-57-0x0000000000280000-0x0000000000292000-memory.dmp

memory/2560-55-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2608-47-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2560-46-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2608-19-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2560-38-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2560-37-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1048-27-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2608-25-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2608-17-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2608-24-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2608-26-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2608-20-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2608-66-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2608-68-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2608-67-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2608-69-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2608-70-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2608-72-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2608-73-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2720-85-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2608-86-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2608-87-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2608-89-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2608-91-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2720-107-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2720-106-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2488-102-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2720-109-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2488-110-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2608-149-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/2608-152-0x0000000000980000-0x0000000001A3A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 2bcf10da87477b05f5db6a26436b0008
SHA1 33215fe4d1d41d51520c1e78de9d361cf30ad393
SHA256 de70708032f239e98f06427813e88921714b4dcb97f924099af344cd590515fd
SHA512 af07cab4d73126395cbb4562c11a3eac5f36db3bfbb45af07f81d5b7bce9154e220a97d73217293da89f0e1632c2f32c45e4cd5bcab08d36fb85983dd398b36b

memory/2608-153-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2488-165-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2488-187-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2488-186-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2720-191-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 03:28

Reported

2024-06-17 03:30

Platform

win10v2004-20240508-en

Max time kernel

52s

Max time network

52s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573bf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57a75c C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A
File created C:\Windows\e573b44 C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1496 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1496 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1496 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 1436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573b05.exe
PID 2012 wrote to memory of 1436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573b05.exe
PID 2012 wrote to memory of 1436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573b05.exe
PID 1436 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\system32\fontdrvhost.exe
PID 1436 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\system32\fontdrvhost.exe
PID 1436 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\system32\dwm.exe
PID 1436 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\system32\sihost.exe
PID 1436 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\system32\svchost.exe
PID 1436 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\system32\taskhostw.exe
PID 1436 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\Explorer.EXE
PID 1436 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\system32\svchost.exe
PID 1436 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\system32\DllHost.exe
PID 1436 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1436 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\System32\RuntimeBroker.exe
PID 1436 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1436 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\System32\RuntimeBroker.exe
PID 1436 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1436 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\System32\RuntimeBroker.exe
PID 1436 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1436 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\system32\rundll32.exe
PID 1436 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\SysWOW64\rundll32.exe
PID 1436 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 4544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573bf0.exe
PID 2012 wrote to memory of 4544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573bf0.exe
PID 2012 wrote to memory of 4544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573bf0.exe
PID 2012 wrote to memory of 2124 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5758ce.exe
PID 2012 wrote to memory of 2124 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5758ce.exe
PID 2012 wrote to memory of 2124 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5758ce.exe
PID 1436 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\system32\fontdrvhost.exe
PID 1436 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\system32\fontdrvhost.exe
PID 1436 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\system32\dwm.exe
PID 1436 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\system32\sihost.exe
PID 1436 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\system32\svchost.exe
PID 1436 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\system32\taskhostw.exe
PID 1436 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\Explorer.EXE
PID 1436 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\system32\svchost.exe
PID 1436 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\system32\DllHost.exe
PID 1436 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1436 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\System32\RuntimeBroker.exe
PID 1436 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1436 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\System32\RuntimeBroker.exe
PID 1436 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1436 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\System32\RuntimeBroker.exe
PID 1436 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Users\Admin\AppData\Local\Temp\e573bf0.exe
PID 1436 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Users\Admin\AppData\Local\Temp\e573bf0.exe
PID 1436 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\System32\RuntimeBroker.exe
PID 1436 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Windows\System32\RuntimeBroker.exe
PID 1436 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Users\Admin\AppData\Local\Temp\e5758ce.exe
PID 1436 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\e573b05.exe C:\Users\Admin\AppData\Local\Temp\e5758ce.exe
PID 2124 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e5758ce.exe C:\Windows\system32\fontdrvhost.exe
PID 2124 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e5758ce.exe C:\Windows\system32\fontdrvhost.exe
PID 2124 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e5758ce.exe C:\Windows\system32\dwm.exe
PID 2124 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\e5758ce.exe C:\Windows\system32\sihost.exe
PID 2124 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\e5758ce.exe C:\Windows\system32\svchost.exe
PID 2124 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\e5758ce.exe C:\Windows\system32\taskhostw.exe
PID 2124 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\e5758ce.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\e5758ce.exe C:\Windows\system32\svchost.exe
PID 2124 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\e5758ce.exe C:\Windows\system32\DllHost.exe
PID 2124 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\e5758ce.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2124 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\e5758ce.exe C:\Windows\System32\RuntimeBroker.exe
PID 2124 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\e5758ce.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5758ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573b05.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e4be10edde34395f33a125c6f104e15b856bd20ef08154ed867285234abf556a.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e4be10edde34395f33a125c6f104e15b856bd20ef08154ed867285234abf556a.dll,#1

C:\Users\Admin\AppData\Local\Temp\e573b05.exe

C:\Users\Admin\AppData\Local\Temp\e573b05.exe

C:\Users\Admin\AppData\Local\Temp\e573bf0.exe

C:\Users\Admin\AppData\Local\Temp\e573bf0.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e5758ce.exe

C:\Users\Admin\AppData\Local\Temp\e5758ce.exe

Network

Files

memory/2012-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e573b05.exe

MD5 f2e63f2506e7561b031b50994be7df85
SHA1 0147bf868c7499e496ef424c46205b2216e729ca
SHA256 279bd38945fcc8fd2b628d6df94ff088a1ab4c73aac64a5d84753d5487bf2bea
SHA512 fc45b67e80101eaf7d02df47842e7a2d7e2c272aeb00c3b3e99024b681657bddfe0aef00dc9f7f77fe79e43098b81e6721885818ec82c4e2daf1934a657c40c9

memory/1436-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1436-6-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-8-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-11-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/2012-31-0x0000000004410000-0x0000000004412000-memory.dmp

memory/4544-30-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1436-29-0x0000000003520000-0x0000000003522000-memory.dmp

memory/1436-28-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-12-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-25-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-33-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-34-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-26-0x0000000003520000-0x0000000003522000-memory.dmp

memory/1436-10-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-17-0x0000000003E70000-0x0000000003E71000-memory.dmp

memory/2012-15-0x0000000004640000-0x0000000004641000-memory.dmp

memory/2012-14-0x0000000004410000-0x0000000004412000-memory.dmp

memory/2012-13-0x0000000004410000-0x0000000004412000-memory.dmp

memory/1436-35-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-36-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-37-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-38-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-39-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-40-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-42-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-43-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/2124-52-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1436-45-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-54-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-55-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4544-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2124-62-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/4544-60-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2124-61-0x0000000000460000-0x0000000000461000-memory.dmp

memory/4544-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2124-64-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1436-65-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-66-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-70-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-72-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-74-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-75-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-77-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-79-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-80-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-81-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-92-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/1436-91-0x0000000003520000-0x0000000003522000-memory.dmp

memory/1436-101-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4544-105-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 1e90fe56e85d68cc9a12f24f21720796
SHA1 a456a7ad3aa86f163883cd74f36fd7bf3bb22bf2
SHA256 5f157cc30d2c6f4c533eda108e989e60a0af80786f9b6881ed1e69680e300dc5
SHA512 15bb3a08127077f3756ddbbf6a7300935d50017bdec5d4b5daab7200128577fa384bb5f3f20a745de6dcadf12387ed1de5172d3d4e16558f5dc853c627040f5a

memory/2124-117-0x0000000000B20000-0x0000000001BDA000-memory.dmp

memory/2124-135-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2124-136-0x0000000000B20000-0x0000000001BDA000-memory.dmp