Malware Analysis Report

2025-06-16 06:59

Sample ID 241104-en37qswlbm
Target 60583aa9600272da01b65bd8c2f4e6234dd75af2729b9a0b47cc5563c594a6f7N
SHA256 60583aa9600272da01b65bd8c2f4e6234dd75af2729b9a0b47cc5563c594a6f7
Tags
sality backdoor discovery evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

60583aa9600272da01b65bd8c2f4e6234dd75af2729b9a0b47cc5563c594a6f7

Threat Level: Known bad

The file 60583aa9600272da01b65bd8c2f4e6234dd75af2729b9a0b47cc5563c594a6f7N was found to be: Known bad.

Malicious Activity Summary

sality backdoor discovery evasion trojan upx

Windows security bypass

Sality family

Modifies firewall policy service

Sality

UAC bypass

Windows security modification

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Enumerates connected drives

UPX packed file

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 04:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 04:06

Reported

2024-11-04 04:08

Platform

win7-20240708-en

Max time kernel

27s

Max time network

17s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f76c533 C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
File created C:\Windows\f7715b2 C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2572 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2692 wrote to memory of 2504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe
PID 2692 wrote to memory of 2504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe
PID 2692 wrote to memory of 2504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe
PID 2692 wrote to memory of 2504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe
PID 2504 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe C:\Windows\system32\taskhost.exe
PID 2504 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe C:\Windows\system32\Dwm.exe
PID 2504 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe C:\Windows\Explorer.EXE
PID 2504 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe C:\Windows\system32\DllHost.exe
PID 2504 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe C:\Windows\system32\rundll32.exe
PID 2504 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe C:\Windows\SysWOW64\rundll32.exe
PID 2692 wrote to memory of 2772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe
PID 2692 wrote to memory of 2772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe
PID 2692 wrote to memory of 2772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe
PID 2692 wrote to memory of 2772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe
PID 2692 wrote to memory of 2688 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76e09f.exe
PID 2692 wrote to memory of 2688 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76e09f.exe
PID 2692 wrote to memory of 2688 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76e09f.exe
PID 2692 wrote to memory of 2688 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76e09f.exe
PID 2504 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe C:\Windows\system32\taskhost.exe
PID 2504 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe C:\Windows\system32\Dwm.exe
PID 2504 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe C:\Windows\Explorer.EXE
PID 2504 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe C:\Windows\system32\DllHost.exe
PID 2504 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe
PID 2504 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe
PID 2504 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe C:\Users\Admin\AppData\Local\Temp\f76e09f.exe
PID 2504 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe C:\Users\Admin\AppData\Local\Temp\f76e09f.exe
PID 2772 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe C:\Windows\system32\taskhost.exe
PID 2772 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe C:\Windows\system32\Dwm.exe
PID 2772 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe C:\Windows\Explorer.EXE
PID 2772 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\60583aa9600272da01b65bd8c2f4e6234dd75af2729b9a0b47cc5563c594a6f7N.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\60583aa9600272da01b65bd8c2f4e6234dd75af2729b9a0b47cc5563c594a6f7N.dll,#1

C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe

C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe

C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe

C:\Users\Admin\AppData\Local\Temp\f76c6c8.exe

C:\Users\Admin\AppData\Local\Temp\f76e09f.exe

C:\Users\Admin\AppData\Local\Temp\f76e09f.exe

Network

N/A

Files

memory/2692-3-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2692-2-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2692-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2692-0-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe

MD5 4ab7dc9ea8f2506d7f27ee00ab3b3385
SHA1 910b357910745bcffa0a562424ef8ce505a84d39
SHA256 0334b886a54a467c26efbe67842fb1383eaddf2331c7a17ffa32a4aa27e58829
SHA512 504c3b390c3089af772feea0cd92aa775e2a271e9d73e816767ba5809c26fb31fe149f04013cb5b41fcf9b85514c8634cc1a5e8d6e65cfcb9a2bab4a5e4b5654

memory/2504-14-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2692-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2692-6-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2504-18-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2504-21-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2504-25-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2504-15-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2692-50-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2772-54-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2692-53-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2692-52-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2504-41-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2692-42-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2504-17-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2692-33-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2504-22-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2504-23-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2504-55-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/2504-56-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/2504-20-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2504-19-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2692-32-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/1104-26-0x0000000000150000-0x0000000000152000-memory.dmp

memory/2504-24-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2504-62-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2504-63-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2504-64-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2504-66-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2504-65-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2504-68-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2504-69-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2688-81-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2692-77-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2504-82-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2504-84-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2504-85-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2504-88-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/2772-101-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2772-100-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2772-99-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2688-107-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2688-109-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2504-111-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2772-130-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2688-133-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2504-153-0x0000000000680000-0x000000000173A000-memory.dmp

memory/2504-152-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 269d018c5fc0e7954a8c0f00e9ac0860
SHA1 d8bc33501e0498b08e5241336d203a210757650b
SHA256 2b449c6c604aec97ea96fb875ec20cbdb0cc2bae348d2d351dd37f2e9438a3b0
SHA512 1e5328627310ecce1a2ccaf2887a7f1f6fd0e01bf6c71749ffe8a32fe475427cb301fd16067a4cb24625838ca16dc3934338a8a0fdddda5d80df2d8acfdf40d1

memory/2772-185-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2772-191-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2688-195-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 04:06

Reported

2024-11-04 04:08

Platform

win10v2004-20241007-en

Max time kernel

109s

Max time network

110s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57807a C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
File created C:\Windows\e57d37c C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e5782dc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2144 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2144 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2144 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1668 wrote to memory of 3356 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577ffd.exe
PID 1668 wrote to memory of 3356 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577ffd.exe
PID 1668 wrote to memory of 3356 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577ffd.exe
PID 3356 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\system32\fontdrvhost.exe
PID 3356 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\system32\fontdrvhost.exe
PID 3356 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\system32\dwm.exe
PID 3356 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\system32\sihost.exe
PID 3356 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\system32\svchost.exe
PID 3356 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\system32\taskhostw.exe
PID 3356 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\Explorer.EXE
PID 3356 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\system32\svchost.exe
PID 3356 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\system32\DllHost.exe
PID 3356 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3356 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\System32\RuntimeBroker.exe
PID 3356 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3356 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\System32\RuntimeBroker.exe
PID 3356 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3356 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\System32\RuntimeBroker.exe
PID 3356 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3356 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3356 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\system32\rundll32.exe
PID 3356 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3356 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1668 wrote to memory of 1112 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5782dc.exe
PID 1668 wrote to memory of 1112 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5782dc.exe
PID 1668 wrote to memory of 1112 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5782dc.exe
PID 1668 wrote to memory of 3236 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e579b17.exe
PID 1668 wrote to memory of 3236 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e579b17.exe
PID 1668 wrote to memory of 3236 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e579b17.exe
PID 3356 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\system32\fontdrvhost.exe
PID 3356 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\system32\fontdrvhost.exe
PID 3356 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\system32\dwm.exe
PID 3356 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\system32\sihost.exe
PID 3356 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\system32\svchost.exe
PID 3356 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\system32\taskhostw.exe
PID 3356 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\Explorer.EXE
PID 3356 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\system32\svchost.exe
PID 3356 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\system32\DllHost.exe
PID 3356 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3356 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\System32\RuntimeBroker.exe
PID 3356 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3356 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\System32\RuntimeBroker.exe
PID 3356 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3356 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\System32\RuntimeBroker.exe
PID 3356 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3356 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Users\Admin\AppData\Local\Temp\e5782dc.exe
PID 3356 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Users\Admin\AppData\Local\Temp\e5782dc.exe
PID 3356 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\System32\RuntimeBroker.exe
PID 3356 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Windows\System32\RuntimeBroker.exe
PID 3356 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Users\Admin\AppData\Local\Temp\e579b17.exe
PID 3356 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\e577ffd.exe C:\Users\Admin\AppData\Local\Temp\e579b17.exe
PID 3236 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e579b17.exe C:\Windows\system32\fontdrvhost.exe
PID 3236 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e579b17.exe C:\Windows\system32\fontdrvhost.exe
PID 3236 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e579b17.exe C:\Windows\system32\dwm.exe
PID 3236 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e579b17.exe C:\Windows\system32\sihost.exe
PID 3236 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\e579b17.exe C:\Windows\system32\svchost.exe
PID 3236 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e579b17.exe C:\Windows\system32\taskhostw.exe
PID 3236 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\e579b17.exe C:\Windows\Explorer.EXE
PID 3236 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\e579b17.exe C:\Windows\system32\svchost.exe
PID 3236 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\e579b17.exe C:\Windows\system32\DllHost.exe
PID 3236 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\e579b17.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577ffd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e579b17.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\60583aa9600272da01b65bd8c2f4e6234dd75af2729b9a0b47cc5563c594a6f7N.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\60583aa9600272da01b65bd8c2f4e6234dd75af2729b9a0b47cc5563c594a6f7N.dll,#1

C:\Users\Admin\AppData\Local\Temp\e577ffd.exe

C:\Users\Admin\AppData\Local\Temp\e577ffd.exe

C:\Users\Admin\AppData\Local\Temp\e5782dc.exe

C:\Users\Admin\AppData\Local\Temp\e5782dc.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e579b17.exe

C:\Users\Admin\AppData\Local\Temp\e579b17.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1668-0-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e577ffd.exe

MD5 4ab7dc9ea8f2506d7f27ee00ab3b3385
SHA1 910b357910745bcffa0a562424ef8ce505a84d39
SHA256 0334b886a54a467c26efbe67842fb1383eaddf2331c7a17ffa32a4aa27e58829
SHA512 504c3b390c3089af772feea0cd92aa775e2a271e9d73e816767ba5809c26fb31fe149f04013cb5b41fcf9b85514c8634cc1a5e8d6e65cfcb9a2bab4a5e4b5654

memory/3356-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3356-6-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-8-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-9-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-10-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-12-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-14-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-11-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-26-0x0000000004370000-0x0000000004371000-memory.dmp

memory/3356-20-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-21-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/1112-35-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3356-22-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-31-0x0000000001BB0000-0x0000000001BB2000-memory.dmp

memory/1668-30-0x0000000003560000-0x0000000003562000-memory.dmp

memory/1668-27-0x0000000003560000-0x0000000003562000-memory.dmp

memory/3356-29-0x0000000001BB0000-0x0000000001BB2000-memory.dmp

memory/1668-24-0x0000000003B40000-0x0000000003B41000-memory.dmp

memory/1668-23-0x0000000003560000-0x0000000003562000-memory.dmp

memory/3356-15-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-36-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-37-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-38-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-39-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-40-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-42-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/1668-46-0x0000000003560000-0x0000000003562000-memory.dmp

memory/3356-43-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-52-0x0000000001BB0000-0x0000000001BB2000-memory.dmp

memory/3236-51-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3356-53-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-55-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-56-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/1112-59-0x0000000000420000-0x0000000000421000-memory.dmp

memory/3236-65-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1112-64-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/3236-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3236-62-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1112-60-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/3356-66-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-68-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-72-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-73-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-74-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-75-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-77-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-78-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-81-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-82-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-91-0x0000000001BB0000-0x0000000001BB2000-memory.dmp

memory/3356-86-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3356-103-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1112-107-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 6f37690a4959aec03c5aeeb7c5531408
SHA1 8c69c1f07139bdb5ff5392b9fa2f11428cb802b6
SHA256 a1213222bc3760bad2c71cc9060acbe0237ae60e5c8051433f9395e7e92e5e76
SHA512 f70988365f3a5c8cb957da85cdce54ef1b0e3178604bce05f9094b32419d37d3843c2fec33830674bd9ac4a8bec43661a9e4fe6aae7ba2a550fc4a46093182e6

memory/3236-119-0x0000000000B20000-0x0000000001BDA000-memory.dmp

memory/3236-147-0x0000000000B20000-0x0000000001BDA000-memory.dmp

memory/3236-148-0x0000000000400000-0x0000000000412000-memory.dmp