Malware Analysis Report

2024-12-07 04:26

Sample ID 241113-v1anysvrbs
Target e33fdb1ed078427c950cba054c00961c860f461568c40fcffa22509d7779ac72N
SHA256 e33fdb1ed078427c950cba054c00961c860f461568c40fcffa22509d7779ac72
Tags
sality backdoor discovery evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e33fdb1ed078427c950cba054c00961c860f461568c40fcffa22509d7779ac72

Threat Level: Known bad

The file e33fdb1ed078427c950cba054c00961c860f461568c40fcffa22509d7779ac72N was found to be: Known bad.

Malicious Activity Summary

sality backdoor discovery evasion trojan upx

Sality

Windows security bypass

Sality family

UAC bypass

Modifies firewall policy service

Loads dropped DLL

Executes dropped EXE

Windows security modification

Checks whether UAC is enabled

Enumerates connected drives

UPX packed file

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 17:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 17:26

Reported

2024-11-13 17:28

Platform

win7-20240708-en

Max time kernel

119s

Max time network

120s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f76f392 C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
File created C:\Windows\f774395 C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2348 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2348 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2348 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2348 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2348 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2348 wrote to memory of 2980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2980 wrote to memory of 3028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76f344.exe
PID 2980 wrote to memory of 3028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76f344.exe
PID 2980 wrote to memory of 3028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76f344.exe
PID 2980 wrote to memory of 3028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76f344.exe
PID 3028 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe C:\Windows\system32\taskhost.exe
PID 3028 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe C:\Windows\system32\Dwm.exe
PID 3028 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe C:\Windows\system32\DllHost.exe
PID 3028 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe C:\Windows\system32\rundll32.exe
PID 3028 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe C:\Windows\SysWOW64\rundll32.exe
PID 3028 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe C:\Windows\SysWOW64\rundll32.exe
PID 2980 wrote to memory of 2792 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76f4ab.exe
PID 2980 wrote to memory of 2792 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76f4ab.exe
PID 2980 wrote to memory of 2792 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76f4ab.exe
PID 2980 wrote to memory of 2792 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76f4ab.exe
PID 2980 wrote to memory of 1516 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f770efe.exe
PID 2980 wrote to memory of 1516 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f770efe.exe
PID 2980 wrote to memory of 1516 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f770efe.exe
PID 2980 wrote to memory of 1516 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f770efe.exe
PID 3028 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe C:\Windows\system32\taskhost.exe
PID 3028 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe C:\Windows\system32\Dwm.exe
PID 3028 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe C:\Windows\system32\DllHost.exe
PID 3028 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe C:\Users\Admin\AppData\Local\Temp\f76f4ab.exe
PID 3028 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe C:\Users\Admin\AppData\Local\Temp\f76f4ab.exe
PID 3028 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe C:\Users\Admin\AppData\Local\Temp\f770efe.exe
PID 3028 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\f76f344.exe C:\Users\Admin\AppData\Local\Temp\f770efe.exe
PID 1516 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe C:\Windows\system32\taskhost.exe
PID 1516 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe C:\Windows\system32\Dwm.exe
PID 1516 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe C:\Windows\Explorer.EXE
PID 1516 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\f770efe.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76f344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f770efe.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e33fdb1ed078427c950cba054c00961c860f461568c40fcffa22509d7779ac72N.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e33fdb1ed078427c950cba054c00961c860f461568c40fcffa22509d7779ac72N.dll,#1

C:\Users\Admin\AppData\Local\Temp\f76f344.exe

C:\Users\Admin\AppData\Local\Temp\f76f344.exe

C:\Users\Admin\AppData\Local\Temp\f76f4ab.exe

C:\Users\Admin\AppData\Local\Temp\f76f4ab.exe

C:\Users\Admin\AppData\Local\Temp\f770efe.exe

C:\Users\Admin\AppData\Local\Temp\f770efe.exe

Network

N/A

Files

memory/2980-0-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f76f344.exe

MD5 5cf91db5dfe91ee734a0bed7793b86a6
SHA1 c69debc07b784862f0f9de6d561bd426da15dd9d
SHA256 372015c28a7b72c64ff53aa43266ac740eb5ca9dc5fc7d1598dcdcba5ba3a7c6
SHA512 353de0c59e2a134dac0f9b8d7399f8dae07e185eaad5caa14e1856393207de0f055389c8f38d075a3ef120a7916614dc10012a19df82c61748b758e4e63e0dab

memory/2980-4-0x0000000000670000-0x0000000000682000-memory.dmp

memory/3028-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2980-10-0x0000000000670000-0x0000000000682000-memory.dmp

memory/3028-16-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3028-20-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3028-47-0x0000000003E20000-0x0000000003E21000-memory.dmp

memory/3028-49-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

memory/3028-50-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

memory/2980-46-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/2980-37-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/2980-53-0x00000000006C0000-0x00000000006D2000-memory.dmp

memory/2980-36-0x0000000000690000-0x0000000000692000-memory.dmp

memory/1108-28-0x0000000000320000-0x0000000000322000-memory.dmp

memory/3028-18-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3028-17-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3028-15-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3028-21-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3028-14-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3028-19-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3028-12-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2980-58-0x0000000000690000-0x0000000000692000-memory.dmp

memory/2980-60-0x0000000000690000-0x0000000000692000-memory.dmp

memory/2980-59-0x00000000006C0000-0x00000000006D2000-memory.dmp

memory/2792-62-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3028-22-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3028-63-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3028-64-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3028-65-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3028-67-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3028-66-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3028-69-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3028-70-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1516-83-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2980-81-0x00000000006E0000-0x00000000006F2000-memory.dmp

memory/3028-84-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3028-87-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/3028-88-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1516-110-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2792-108-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2792-103-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2792-100-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1516-138-0x0000000000260000-0x0000000000262000-memory.dmp

memory/3028-159-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3028-160-0x0000000000520000-0x00000000015DA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 d716f6c2ac4f5e3bcf50b30b78c3f3b7
SHA1 86c91b38a14f626b654b259b6b9a81844524887c
SHA256 40aad38c4d785c4a85c8e8652ec767e0e4e258d44fd85a0c58e9e775805704b0
SHA512 f911d2a1931ef9565804751715e106f681f27902bb8d4e7b8787b8ab9effee869e2e1acabb35c9448b5882cc2c00c09fded7fe81e73765580814ff734164fd49

memory/1516-174-0x0000000000990000-0x0000000001A4A000-memory.dmp

memory/2792-189-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1516-217-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1516-216-0x0000000000990000-0x0000000001A4A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 17:26

Reported

2024-11-13 17:28

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

95s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57785c C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
File created C:\Windows\e57c880 C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e5779c4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1612 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1612 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2964 wrote to memory of 3452 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5777ff.exe
PID 2964 wrote to memory of 3452 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5777ff.exe
PID 2964 wrote to memory of 3452 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5777ff.exe
PID 3452 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\system32\fontdrvhost.exe
PID 3452 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\system32\fontdrvhost.exe
PID 3452 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\system32\dwm.exe
PID 3452 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\system32\sihost.exe
PID 3452 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\system32\svchost.exe
PID 3452 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\system32\taskhostw.exe
PID 3452 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\Explorer.EXE
PID 3452 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\system32\svchost.exe
PID 3452 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\system32\DllHost.exe
PID 3452 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3452 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\System32\RuntimeBroker.exe
PID 3452 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3452 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\System32\RuntimeBroker.exe
PID 3452 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3452 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\System32\RuntimeBroker.exe
PID 3452 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3452 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\system32\rundll32.exe
PID 3452 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\SysWOW64\rundll32.exe
PID 3452 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\SysWOW64\rundll32.exe
PID 2964 wrote to memory of 4552 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5779c4.exe
PID 2964 wrote to memory of 4552 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5779c4.exe
PID 2964 wrote to memory of 4552 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5779c4.exe
PID 2964 wrote to memory of 1456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e579347.exe
PID 2964 wrote to memory of 1456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e579347.exe
PID 2964 wrote to memory of 1456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e579347.exe
PID 3452 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\system32\fontdrvhost.exe
PID 3452 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\system32\fontdrvhost.exe
PID 3452 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\system32\dwm.exe
PID 3452 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\system32\sihost.exe
PID 3452 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\system32\svchost.exe
PID 3452 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\system32\taskhostw.exe
PID 3452 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\Explorer.EXE
PID 3452 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\system32\svchost.exe
PID 3452 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\system32\DllHost.exe
PID 3452 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3452 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\System32\RuntimeBroker.exe
PID 3452 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3452 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\System32\RuntimeBroker.exe
PID 3452 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3452 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\System32\RuntimeBroker.exe
PID 3452 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Users\Admin\AppData\Local\Temp\e5779c4.exe
PID 3452 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Users\Admin\AppData\Local\Temp\e5779c4.exe
PID 3452 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\System32\RuntimeBroker.exe
PID 3452 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Windows\System32\RuntimeBroker.exe
PID 3452 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Users\Admin\AppData\Local\Temp\e579347.exe
PID 3452 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\e5777ff.exe C:\Users\Admin\AppData\Local\Temp\e579347.exe
PID 1456 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e579347.exe C:\Windows\system32\fontdrvhost.exe
PID 1456 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e579347.exe C:\Windows\system32\fontdrvhost.exe
PID 1456 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e579347.exe C:\Windows\system32\dwm.exe
PID 1456 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e579347.exe C:\Windows\system32\sihost.exe
PID 1456 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\e579347.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\e579347.exe C:\Windows\system32\taskhostw.exe
PID 1456 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\e579347.exe C:\Windows\Explorer.EXE
PID 1456 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\e579347.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\e579347.exe C:\Windows\system32\DllHost.exe
PID 1456 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\e579347.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1456 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\e579347.exe C:\Windows\System32\RuntimeBroker.exe
PID 1456 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\e579347.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5777ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e579347.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e33fdb1ed078427c950cba054c00961c860f461568c40fcffa22509d7779ac72N.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e33fdb1ed078427c950cba054c00961c860f461568c40fcffa22509d7779ac72N.dll,#1

C:\Users\Admin\AppData\Local\Temp\e5777ff.exe

C:\Users\Admin\AppData\Local\Temp\e5777ff.exe

C:\Users\Admin\AppData\Local\Temp\e5779c4.exe

C:\Users\Admin\AppData\Local\Temp\e5779c4.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e579347.exe

C:\Users\Admin\AppData\Local\Temp\e579347.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp

Files

memory/2964-0-0x0000000010000000-0x0000000010020000-memory.dmp

memory/3452-4-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5777ff.exe

MD5 5cf91db5dfe91ee734a0bed7793b86a6
SHA1 c69debc07b784862f0f9de6d561bd426da15dd9d
SHA256 372015c28a7b72c64ff53aa43266ac740eb5ca9dc5fc7d1598dcdcba5ba3a7c6
SHA512 353de0c59e2a134dac0f9b8d7399f8dae07e185eaad5caa14e1856393207de0f055389c8f38d075a3ef120a7916614dc10012a19df82c61748b758e4e63e0dab

memory/3452-6-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-23-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

memory/2964-26-0x00000000008C0000-0x00000000008C2000-memory.dmp

memory/2964-32-0x00000000008C0000-0x00000000008C2000-memory.dmp

memory/3452-31-0x00000000037A0000-0x00000000037A2000-memory.dmp

memory/4552-35-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3452-29-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-24-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-18-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-25-0x00000000037A0000-0x00000000037A2000-memory.dmp

memory/3452-17-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/2964-21-0x0000000000960000-0x0000000000961000-memory.dmp

memory/2964-20-0x00000000008C0000-0x00000000008C2000-memory.dmp

memory/3452-11-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-10-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-8-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-9-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-19-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-30-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-36-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-37-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-38-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-39-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-40-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-42-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-43-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/1456-52-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3452-51-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-55-0x00000000037A0000-0x00000000037A2000-memory.dmp

memory/3452-56-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-57-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/1456-66-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4552-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1456-63-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4552-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4552-60-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3452-67-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-68-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-71-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-73-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-76-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-77-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-80-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4552-82-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3452-83-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-84-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-85-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/1456-87-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3452-98-0x00000000037A0000-0x00000000037A2000-memory.dmp

memory/3452-91-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3452-108-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 0afec6cec1b55bfb2e4e290a47907f72
SHA1 a3ea469aee3ad9b7ecccef923dccaee961baa97d
SHA256 a8072582c2b0f0b9b7ea36ad8c205f08faf6db14f71d81d6f71476a39f8c0af0
SHA512 4cf8e88c9e38b4d3e23403c67265ffd6cfeae6ea3295b056af3355d89bcce3e7f42c35db4c17749982e988ca9d7632483e80d10484a3a0b3025fbb6874fa5750

memory/1456-120-0x0000000000B20000-0x0000000001BDA000-memory.dmp

memory/4552-124-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1456-155-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1456-154-0x0000000000B20000-0x0000000001BDA000-memory.dmp