Malware Analysis Report

2025-08-05 23:41

Sample ID 250108-h1njlazjax
Target a635801a7936fd18c60ca594c5147f0ea80b886432d8f4ee42024e1b2fc9075c.exe
SHA256 a635801a7936fd18c60ca594c5147f0ea80b886432d8f4ee42024e1b2fc9075c
Tags
sality backdoor discovery evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a635801a7936fd18c60ca594c5147f0ea80b886432d8f4ee42024e1b2fc9075c

Threat Level: Known bad

The file a635801a7936fd18c60ca594c5147f0ea80b886432d8f4ee42024e1b2fc9075c.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor discovery evasion trojan upx

Modifies firewall policy service

Sality

Sality family

UAC bypass

Windows security bypass

Executes dropped EXE

Windows security modification

Loads dropped DLL

Checks whether UAC is enabled

Enumerates connected drives

UPX packed file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-08 07:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-08 07:12

Reported

2025-01-08 07:14

Platform

win7-20241010-en

Max time kernel

118s

Max time network

119s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f76953d C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
File created C:\Windows\f76e512 C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 1972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 1972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 1972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 1972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 1972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 1972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 1972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1972 wrote to memory of 2492 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7694d0.exe
PID 1972 wrote to memory of 2492 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7694d0.exe
PID 1972 wrote to memory of 2492 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7694d0.exe
PID 1972 wrote to memory of 2492 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7694d0.exe
PID 2492 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe C:\Windows\system32\taskhost.exe
PID 2492 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe C:\Windows\system32\Dwm.exe
PID 2492 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe C:\Windows\Explorer.EXE
PID 2492 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe C:\Windows\system32\DllHost.exe
PID 2492 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe C:\Windows\system32\rundll32.exe
PID 2492 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe C:\Windows\SysWOW64\rundll32.exe
PID 1972 wrote to memory of 2724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769695.exe
PID 1972 wrote to memory of 2724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769695.exe
PID 1972 wrote to memory of 2724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769695.exe
PID 1972 wrote to memory of 2724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769695.exe
PID 1972 wrote to memory of 2612 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76b08a.exe
PID 1972 wrote to memory of 2612 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76b08a.exe
PID 1972 wrote to memory of 2612 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76b08a.exe
PID 1972 wrote to memory of 2612 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76b08a.exe
PID 2492 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe C:\Windows\system32\taskhost.exe
PID 2492 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe C:\Windows\system32\Dwm.exe
PID 2492 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe C:\Windows\Explorer.EXE
PID 2492 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe C:\Windows\system32\DllHost.exe
PID 2492 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe C:\Users\Admin\AppData\Local\Temp\f769695.exe
PID 2492 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe C:\Users\Admin\AppData\Local\Temp\f769695.exe
PID 2492 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe C:\Users\Admin\AppData\Local\Temp\f76b08a.exe
PID 2492 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\f7694d0.exe C:\Users\Admin\AppData\Local\Temp\f76b08a.exe
PID 2724 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe C:\Windows\system32\taskhost.exe
PID 2724 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe C:\Windows\system32\Dwm.exe
PID 2724 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe C:\Windows\Explorer.EXE
PID 2724 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\f769695.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7694d0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f769695.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a635801a7936fd18c60ca594c5147f0ea80b886432d8f4ee42024e1b2fc9075c.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a635801a7936fd18c60ca594c5147f0ea80b886432d8f4ee42024e1b2fc9075c.dll,#1

C:\Users\Admin\AppData\Local\Temp\f7694d0.exe

C:\Users\Admin\AppData\Local\Temp\f7694d0.exe

C:\Users\Admin\AppData\Local\Temp\f769695.exe

C:\Users\Admin\AppData\Local\Temp\f769695.exe

C:\Users\Admin\AppData\Local\Temp\f76b08a.exe

C:\Users\Admin\AppData\Local\Temp\f76b08a.exe

Network

N/A

Files

memory/1972-2-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1972-3-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1972-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1972-0-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f7694d0.exe

MD5 bc850d76e7016a3b38d73f8ae2d75c34
SHA1 1f836046d4fcfca7fa36a7e38f86cf0d5ff04c77
SHA256 e28f69e06e7c73d7b55ed326a48c6e0e439d7de1baf3ce2ce93d8b9c7f8b1a87
SHA512 91a922cce353c3ec47911ce0a1ca42cdbebe19e893270983fc3027d5f6e757c2e544098a0032dc579fcb0218c35f30e48bc9dec836ba26f01c5d44664f8d4f05

memory/2492-14-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1972-12-0x0000000000180000-0x0000000000192000-memory.dmp

memory/1972-10-0x0000000000180000-0x0000000000192000-memory.dmp

memory/2492-19-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2492-21-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1972-40-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2492-52-0x0000000000490000-0x0000000000492000-memory.dmp

memory/1972-59-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2724-63-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1972-62-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/1972-61-0x00000000001D0000-0x00000000001E2000-memory.dmp

memory/2492-50-0x00000000017F0000-0x00000000017F1000-memory.dmp

memory/1972-49-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1972-39-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/1052-32-0x0000000002070000-0x0000000002072000-memory.dmp

memory/2492-26-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2492-25-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2492-23-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2492-22-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2492-20-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2492-18-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2492-17-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2492-15-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2492-24-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2492-64-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2492-66-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2492-65-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2492-68-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2492-67-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2492-70-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2492-71-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2612-86-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1972-85-0x0000000000180000-0x0000000000182000-memory.dmp

memory/2492-78-0x0000000000490000-0x0000000000492000-memory.dmp

memory/1972-75-0x0000000000230000-0x0000000000242000-memory.dmp

memory/2492-87-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2492-88-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2492-92-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2612-110-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2612-109-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2612-108-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2724-106-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2724-101-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2724-100-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2492-111-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2492-112-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2724-129-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2492-155-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2492-154-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 5e82774b619a930e1aa6342ec6b1aeb9
SHA1 4167a41a1f7486fc0618036776fbb6473e62d074
SHA256 67540530f5d7c638bb4cbe7ea79aec8346c5638e116bf5593132a94578774949
SHA512 63980c6be1350e14ed382043e92a0590c24299e5d088d3c76ca75dfd9577286c620a43413d4ebd2857843b3ba8ce52da709cac4f72567e60bdcf07c4fda0ec1e

memory/2724-177-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2724-184-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2612-188-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-08 07:12

Reported

2025-01-08 07:14

Platform

win10v2004-20241007-en

Max time kernel

32s

Max time network

97s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57c479 C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A
File created C:\Windows\e576c95 C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e576d7f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e579d2a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 652 wrote to memory of 4852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 652 wrote to memory of 4852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 652 wrote to memory of 4852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4852 wrote to memory of 1164 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576c37.exe
PID 4852 wrote to memory of 1164 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576c37.exe
PID 4852 wrote to memory of 1164 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576c37.exe
PID 1164 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\system32\fontdrvhost.exe
PID 1164 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\system32\fontdrvhost.exe
PID 1164 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\system32\dwm.exe
PID 1164 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\system32\sihost.exe
PID 1164 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\system32\svchost.exe
PID 1164 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\system32\taskhostw.exe
PID 1164 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\Explorer.EXE
PID 1164 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\system32\svchost.exe
PID 1164 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\system32\DllHost.exe
PID 1164 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1164 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\System32\RuntimeBroker.exe
PID 1164 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1164 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\System32\RuntimeBroker.exe
PID 1164 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1164 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\System32\RuntimeBroker.exe
PID 1164 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1164 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\system32\rundll32.exe
PID 1164 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\SysWOW64\rundll32.exe
PID 1164 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\SysWOW64\rundll32.exe
PID 4852 wrote to memory of 3696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576d7f.exe
PID 4852 wrote to memory of 3696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576d7f.exe
PID 4852 wrote to memory of 3696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576d7f.exe
PID 1164 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\system32\fontdrvhost.exe
PID 1164 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\system32\fontdrvhost.exe
PID 1164 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\system32\dwm.exe
PID 1164 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\system32\sihost.exe
PID 1164 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\system32\svchost.exe
PID 1164 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\system32\taskhostw.exe
PID 1164 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\Explorer.EXE
PID 1164 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\system32\svchost.exe
PID 1164 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\system32\DllHost.exe
PID 1164 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1164 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\System32\RuntimeBroker.exe
PID 1164 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1164 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\System32\RuntimeBroker.exe
PID 1164 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1164 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\System32\RuntimeBroker.exe
PID 1164 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1164 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Windows\system32\rundll32.exe
PID 1164 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Users\Admin\AppData\Local\Temp\e576d7f.exe
PID 1164 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\e576c37.exe C:\Users\Admin\AppData\Local\Temp\e576d7f.exe
PID 4852 wrote to memory of 3652 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e579d1b.exe
PID 4852 wrote to memory of 3652 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e579d1b.exe
PID 4852 wrote to memory of 3652 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e579d1b.exe
PID 4852 wrote to memory of 1744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e579d2a.exe
PID 4852 wrote to memory of 1744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e579d2a.exe
PID 4852 wrote to memory of 1744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e579d2a.exe
PID 3652 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e579d1b.exe C:\Windows\system32\fontdrvhost.exe
PID 3652 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e579d1b.exe C:\Windows\system32\fontdrvhost.exe
PID 3652 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e579d1b.exe C:\Windows\system32\dwm.exe
PID 3652 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e579d1b.exe C:\Windows\system32\sihost.exe
PID 3652 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\e579d1b.exe C:\Windows\system32\svchost.exe
PID 3652 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\e579d1b.exe C:\Windows\system32\taskhostw.exe
PID 3652 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\e579d1b.exe C:\Windows\Explorer.EXE
PID 3652 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\e579d1b.exe C:\Windows\system32\svchost.exe
PID 3652 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\e579d1b.exe C:\Windows\system32\DllHost.exe
PID 3652 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\e579d1b.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3652 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\e579d1b.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576c37.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e579d1b.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a635801a7936fd18c60ca594c5147f0ea80b886432d8f4ee42024e1b2fc9075c.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a635801a7936fd18c60ca594c5147f0ea80b886432d8f4ee42024e1b2fc9075c.dll,#1

C:\Users\Admin\AppData\Local\Temp\e576c37.exe

C:\Users\Admin\AppData\Local\Temp\e576c37.exe

C:\Users\Admin\AppData\Local\Temp\e576d7f.exe

C:\Users\Admin\AppData\Local\Temp\e576d7f.exe

C:\Users\Admin\AppData\Local\Temp\e579d1b.exe

C:\Users\Admin\AppData\Local\Temp\e579d1b.exe

C:\Users\Admin\AppData\Local\Temp\e579d2a.exe

C:\Users\Admin\AppData\Local\Temp\e579d2a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4852-0-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e576c37.exe

MD5 bc850d76e7016a3b38d73f8ae2d75c34
SHA1 1f836046d4fcfca7fa36a7e38f86cf0d5ff04c77
SHA256 e28f69e06e7c73d7b55ed326a48c6e0e439d7de1baf3ce2ce93d8b9c7f8b1a87
SHA512 91a922cce353c3ec47911ce0a1ca42cdbebe19e893270983fc3027d5f6e757c2e544098a0032dc579fcb0218c35f30e48bc9dec836ba26f01c5d44664f8d4f05

memory/1164-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1164-6-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-9-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-7-0x00007FFCDB510000-0x00007FFCDB705000-memory.dmp

memory/1164-11-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-12-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-10-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-23-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

memory/4852-20-0x00000000009B0000-0x00000000009B2000-memory.dmp

memory/4852-21-0x00000000009E0000-0x00000000009E1000-memory.dmp

memory/3696-35-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1164-32-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-27-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-30-0x00007FFCDB510000-0x00007FFCDB705000-memory.dmp

memory/4852-29-0x00007FFCDB510000-0x00007FFCDB705000-memory.dmp

memory/1164-19-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-26-0x00000000019B0000-0x00000000019B2000-memory.dmp

memory/4852-24-0x00000000009B0000-0x00000000009B2000-memory.dmp

memory/1164-18-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-34-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-36-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-37-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-38-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-39-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-40-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/3696-43-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3696-45-0x00007FFCDB510000-0x00007FFCDB705000-memory.dmp

memory/3696-44-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1164-46-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4852-55-0x00000000009B0000-0x00000000009B2000-memory.dmp

memory/1744-59-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1164-58-0x00007FFCDB510000-0x00007FFCDB705000-memory.dmp

memory/1164-60-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-61-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-62-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-64-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-66-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-73-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-75-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-78-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1164-79-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/3696-80-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3696-86-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1164-93-0x00000000019B0000-0x00000000019B2000-memory.dmp

memory/1164-103-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1164-102-0x00007FFCDB510000-0x00007FFCDB705000-memory.dmp

memory/3652-105-0x00007FFCDB510000-0x00007FFCDB705000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 7286c309cfb018c42c6665c452cb8016
SHA1 ff9f2a2befafce96870dc3ea347a5bdc8a641ce8
SHA256 dc236d730a78e3d387b7e6f6769bd4e9f5085c32f99ae9fe51fe525c14dd61f9
SHA512 786705035f2a18f2ce8b6cc68baf6950ca4adefbfd4643c8803f3dd1cace7c9627ec165975d1c3ddbbbfa5eaae7602c303be12e2e5f894e55a8d0f1dab81571f

memory/1744-163-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3652-164-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3652-159-0x00007FFCDB510000-0x00007FFCDB705000-memory.dmp

memory/3652-165-0x00007FFCDB510000-0x00007FFCDB705000-memory.dmp