Malware Analysis Report

2025-04-03 16:51

Sample ID 241109-t54l6ayajc
Target 16a33f2df2a4e0f19a8747d0ec8533617091d6ad642a356db48714726fc3f81eN
SHA256 16a33f2df2a4e0f19a8747d0ec8533617091d6ad642a356db48714726fc3f81e
Tags
sality backdoor discovery evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16a33f2df2a4e0f19a8747d0ec8533617091d6ad642a356db48714726fc3f81e

Threat Level: Known bad

The file 16a33f2df2a4e0f19a8747d0ec8533617091d6ad642a356db48714726fc3f81eN was found to be: Known bad.

Malicious Activity Summary

sality backdoor discovery evasion trojan upx

Modifies firewall policy service

Sality family

Windows security bypass

Sality

UAC bypass

Loads dropped DLL

Executes dropped EXE

Windows security modification

Checks whether UAC is enabled

Enumerates connected drives

UPX packed file

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 16:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 16:39

Reported

2024-11-09 16:41

Platform

win7-20241023-en

Max time kernel

117s

Max time network

119s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f76a40c C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
File created C:\Windows\f76f42e C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2624 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2624 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2624 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2624 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2624 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2624 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2624 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2592 wrote to memory of 2084 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76a39f.exe
PID 2592 wrote to memory of 2084 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76a39f.exe
PID 2592 wrote to memory of 2084 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76a39f.exe
PID 2592 wrote to memory of 2084 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76a39f.exe
PID 2084 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe C:\Windows\system32\taskhost.exe
PID 2084 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe C:\Windows\system32\Dwm.exe
PID 2084 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe C:\Windows\system32\DllHost.exe
PID 2084 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe C:\Windows\system32\rundll32.exe
PID 2084 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe C:\Windows\SysWOW64\rundll32.exe
PID 2592 wrote to memory of 2936 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76a554.exe
PID 2592 wrote to memory of 2936 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76a554.exe
PID 2592 wrote to memory of 2936 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76a554.exe
PID 2592 wrote to memory of 2936 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76a554.exe
PID 2592 wrote to memory of 2332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe
PID 2592 wrote to memory of 2332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe
PID 2592 wrote to memory of 2332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe
PID 2592 wrote to memory of 2332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe
PID 2084 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe C:\Windows\system32\taskhost.exe
PID 2084 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe C:\Windows\system32\Dwm.exe
PID 2084 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe C:\Windows\system32\DllHost.exe
PID 2084 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe C:\Users\Admin\AppData\Local\Temp\f76a554.exe
PID 2084 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe C:\Users\Admin\AppData\Local\Temp\f76a554.exe
PID 2084 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe
PID 2084 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\f76a39f.exe C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe
PID 2332 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe C:\Windows\system32\taskhost.exe
PID 2332 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe C:\Windows\system32\Dwm.exe
PID 2332 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe C:\Windows\Explorer.EXE
PID 2332 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76a39f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\16a33f2df2a4e0f19a8747d0ec8533617091d6ad642a356db48714726fc3f81eN.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\16a33f2df2a4e0f19a8747d0ec8533617091d6ad642a356db48714726fc3f81eN.dll,#1

C:\Users\Admin\AppData\Local\Temp\f76a39f.exe

C:\Users\Admin\AppData\Local\Temp\f76a39f.exe

C:\Users\Admin\AppData\Local\Temp\f76a554.exe

C:\Users\Admin\AppData\Local\Temp\f76a554.exe

C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe

C:\Users\Admin\AppData\Local\Temp\f76c2d2.exe

Network

N/A

Files

memory/2592-3-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2592-2-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2592-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2592-0-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f76a39f.exe

MD5 328d2840c20d3883b5f4bb96e0b47b43
SHA1 431c7e20ec948527d095b73f84c93d2957c25aca
SHA256 8db05befdb20b96a8f1a29a671698b9a6755aa656141c003fb3688f163fa82b3
SHA512 5dfe92f1fab0ce470139f96094b858bf261f42cc124fb0823434c84146883165e8d3b7bb8351cba549cbd0857e03f7cf1efed2747728dc1167c460a6b12c8184

memory/2084-14-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2592-13-0x0000000000170000-0x0000000000182000-memory.dmp

memory/2592-12-0x0000000000170000-0x0000000000182000-memory.dmp

memory/2084-18-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2084-21-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2084-22-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2084-24-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2592-53-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2084-59-0x00000000002D0000-0x00000000002D2000-memory.dmp

memory/2936-58-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2592-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2592-56-0x0000000000200000-0x0000000000212000-memory.dmp

memory/2592-45-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2084-44-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2084-43-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2084-25-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2084-23-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2084-20-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2084-19-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2084-17-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2592-34-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2592-33-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1116-26-0x0000000000390000-0x0000000000392000-memory.dmp

memory/2084-65-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2084-66-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2084-67-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2084-68-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2084-70-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2084-71-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2084-72-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2084-73-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2084-74-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2084-90-0x00000000002D0000-0x00000000002D2000-memory.dmp

memory/2332-89-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2592-88-0x0000000000170000-0x0000000000172000-memory.dmp

memory/2084-91-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2084-92-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2936-102-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2936-111-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2332-110-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2936-109-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2332-108-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2332-107-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2936-139-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2084-159-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2084-158-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 27b8f9acc8c17be65778b26753978b8e
SHA1 412864290eadd3ddd3c5886f8491b252516581c7
SHA256 bf814ee3354cb9dfdc7c60e334e06be27f8828a27ad23d7bf64809619bb9996e
SHA512 0e53d437dbd231314b63e1368dbbdf629e92b0127e97fb33038bb8b610962c5d5f84998fc2605e7c17efd2d3c9607e501a66cca57e4cfe05cf280bdf25f1e56d

memory/2332-171-0x0000000000900000-0x00000000019BA000-memory.dmp

memory/2936-188-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2332-215-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2332-216-0x0000000000900000-0x00000000019BA000-memory.dmp

memory/2592-217-0x0000000010000000-0x0000000010020000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 16:39

Reported

2024-11-09 16:41

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

96s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57b277 C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
File created C:\Windows\e58025c C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 1296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 1296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 1296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1296 wrote to memory of 4328 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57b20a.exe
PID 1296 wrote to memory of 4328 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57b20a.exe
PID 1296 wrote to memory of 4328 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57b20a.exe
PID 4328 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\system32\fontdrvhost.exe
PID 4328 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\system32\fontdrvhost.exe
PID 4328 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\system32\dwm.exe
PID 4328 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\system32\svchost.exe
PID 4328 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\system32\sihost.exe
PID 4328 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\system32\taskhostw.exe
PID 4328 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\Explorer.EXE
PID 4328 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\system32\svchost.exe
PID 4328 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\system32\DllHost.exe
PID 4328 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4328 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4328 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4328 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4328 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4328 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4328 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4328 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\system32\rundll32.exe
PID 4328 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\SysWOW64\rundll32.exe
PID 4328 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\SysWOW64\rundll32.exe
PID 1296 wrote to memory of 2160 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57b333.exe
PID 1296 wrote to memory of 2160 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57b333.exe
PID 1296 wrote to memory of 2160 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57b333.exe
PID 1296 wrote to memory of 3212 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe
PID 1296 wrote to memory of 3212 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe
PID 1296 wrote to memory of 3212 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe
PID 4328 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\system32\fontdrvhost.exe
PID 4328 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\system32\fontdrvhost.exe
PID 4328 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\system32\dwm.exe
PID 4328 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\system32\svchost.exe
PID 4328 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\system32\sihost.exe
PID 4328 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\system32\taskhostw.exe
PID 4328 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\Explorer.EXE
PID 4328 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\system32\svchost.exe
PID 4328 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\system32\DllHost.exe
PID 4328 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4328 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4328 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4328 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4328 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4328 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4328 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Users\Admin\AppData\Local\Temp\e57b333.exe
PID 4328 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Users\Admin\AppData\Local\Temp\e57b333.exe
PID 4328 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4328 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4328 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe
PID 4328 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\e57b20a.exe C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57b333.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57b20a.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\16a33f2df2a4e0f19a8747d0ec8533617091d6ad642a356db48714726fc3f81eN.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\16a33f2df2a4e0f19a8747d0ec8533617091d6ad642a356db48714726fc3f81eN.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57b20a.exe

C:\Users\Admin\AppData\Local\Temp\e57b20a.exe

C:\Users\Admin\AppData\Local\Temp\e57b333.exe

C:\Users\Admin\AppData\Local\Temp\e57b333.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe

C:\Users\Admin\AppData\Local\Temp\e57cdcf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/1296-0-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57b20a.exe

MD5 328d2840c20d3883b5f4bb96e0b47b43
SHA1 431c7e20ec948527d095b73f84c93d2957c25aca
SHA256 8db05befdb20b96a8f1a29a671698b9a6755aa656141c003fb3688f163fa82b3
SHA512 5dfe92f1fab0ce470139f96094b858bf261f42cc124fb0823434c84146883165e8d3b7bb8351cba549cbd0857e03f7cf1efed2747728dc1167c460a6b12c8184

memory/4328-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4328-8-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-10-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1296-33-0x0000000001190000-0x0000000001192000-memory.dmp

memory/2160-31-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4328-32-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-25-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-35-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-30-0x0000000001AB0000-0x0000000001AB2000-memory.dmp

memory/4328-24-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-11-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-27-0x0000000001AB0000-0x0000000001AB2000-memory.dmp

memory/4328-26-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1296-13-0x0000000004170000-0x0000000004171000-memory.dmp

memory/4328-9-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1296-16-0x0000000001190000-0x0000000001192000-memory.dmp

memory/4328-15-0x0000000001AC0000-0x0000000001AC1000-memory.dmp

memory/1296-12-0x0000000001190000-0x0000000001192000-memory.dmp

memory/4328-34-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-36-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-37-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-38-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-39-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-40-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-42-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-43-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-51-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-53-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-54-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2160-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3212-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3212-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2160-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3212-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2160-57-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4328-64-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-66-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-69-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-71-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-73-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-75-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-76-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2160-77-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4328-80-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4328-81-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/3212-82-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4328-103-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4328-94-0x0000000001AB0000-0x0000000001AB2000-memory.dmp

memory/4328-84-0x00000000007B0000-0x000000000186A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 27a392263af8dfeb9cf6e550abea5948
SHA1 0fc298ead4e8e0b688d959809aabd41582e89d53
SHA256 e6198cc6a93fe00ee69c31c90fe4becffc437855368b0f19715516edb3021e30
SHA512 0af5e27924c24df2a8a9490ef58e3e23ad942e8f7880aa7128ed6e5d47b68d94ac1739655ace325941d422725c2e8c5198875e47e9c75c326c9ff5be3e7f365c

memory/2160-128-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/2160-127-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3212-134-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/3212-133-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2160-135-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/3212-136-0x0000000000B30000-0x0000000001BEA000-memory.dmp