Malware Analysis Report

2025-08-05 19:38

Sample ID 240229-g2wqxsgg3t
Target ade2a2059d92f988de05067fd44491ef
SHA256 75074c9368cf924de049bcc3e4a3cce7bbc7a2b721aa66a353a68528abba9fb0
Tags
sality backdoor evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

75074c9368cf924de049bcc3e4a3cce7bbc7a2b721aa66a353a68528abba9fb0

Threat Level: Known bad

The file ade2a2059d92f988de05067fd44491ef was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion persistence trojan upx

Windows security bypass

UAC bypass

Sality

Modifies firewall policy service

Windows security modification

UPX packed file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 06:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 06:18

Reported

2024-02-29 06:21

Platform

win7-20240221-en

Max time kernel

150s

Max time network

148s

Command Line

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Service Manager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idemoodp0cetka.exe" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS Service Manager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idemoodp0cetka.exe" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\system32\taskhost.exe
PID 2756 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\system32\Dwm.exe
PID 2756 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\Explorer.EXE
PID 2756 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\system32\DllHost.exe
PID 2756 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe
PID 2756 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe
PID 2756 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe
PID 2756 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe
PID 2756 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe
PID 2756 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe
PID 2756 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe
PID 2756 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe
PID 2756 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe
PID 2440 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 2440 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 2440 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 2440 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 2616 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\system32\taskhost.exe
PID 2616 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\system32\Dwm.exe
PID 2616 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\Explorer.EXE
PID 2616 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 2616 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 2616 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 2616 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 2616 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 2616 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 2616 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 2616 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 2616 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A

Processes

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe

"C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe"

C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe

"C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe"

C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe

"C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe"

C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe

"C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 urcdw.zavoddebila.com udp
US 8.8.8.8:53 fghfg.translate-google-cache.com udp
US 199.2.137.20:33333 fghfg.translate-google-cache.com tcp
US 8.8.8.8:53 milkyway.3utilities.com udp
US 204.95.99.109:33333 milkyway.3utilities.com tcp
US 199.2.137.20:33333 fghfg.translate-google-cache.com tcp
US 204.95.99.109:33333 milkyway.3utilities.com tcp
US 199.2.137.20:33333 fghfg.translate-google-cache.com tcp
US 204.95.99.109:33333 milkyway.3utilities.com tcp

Files

memory/2756-0-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2756-2-0x0000000002550000-0x00000000035DE000-memory.dmp

memory/2756-3-0x0000000002550000-0x00000000035DE000-memory.dmp

memory/2756-6-0x0000000002550000-0x00000000035DE000-memory.dmp

memory/2756-7-0x0000000002550000-0x00000000035DE000-memory.dmp

memory/1256-8-0x00000000000E0000-0x00000000000E2000-memory.dmp

memory/2756-10-0x0000000002550000-0x00000000035DE000-memory.dmp

memory/2756-14-0x0000000002550000-0x00000000035DE000-memory.dmp

memory/2756-17-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2756-19-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2756-23-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2440-25-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2756-24-0x0000000004520000-0x000000000456B000-memory.dmp

memory/2756-18-0x0000000002550000-0x00000000035DE000-memory.dmp

memory/2756-21-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2440-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2440-29-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2756-32-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2440-39-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2756-33-0x0000000002550000-0x00000000035DE000-memory.dmp

memory/2756-40-0x0000000000400000-0x000000000044B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe

MD5 ade2a2059d92f988de05067fd44491ef
SHA1 6d393613db4d16a60d9d9478cc7fb21142229284
SHA256 75074c9368cf924de049bcc3e4a3cce7bbc7a2b721aa66a353a68528abba9fb0
SHA512 5b97929997037497700b15a9a44fce02a228ec49539e7f69a222239877de6342f2ed7ad6927e82556005125982abaf4ee18b5ed9faa260c200e5ffda2838f464

memory/2440-49-0x00000000003B0000-0x00000000003FB000-memory.dmp

memory/2616-51-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2440-54-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2616-52-0x0000000002670000-0x00000000036FE000-memory.dmp

memory/2440-53-0x00000000003B0000-0x00000000003FB000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 2aa1355a23d33cebb4a949316b95e78e
SHA1 dc39812b16d55041b346c5e2d19928880aa487e4
SHA256 3fe0b4e96d0f8772ed84d89e13778a35d31745fd794331e395b5989c15ed3075
SHA512 e37cebeba02ba909912d695368edfa66702a59fd56e6aaa37953e41865deca1ea301933b0075bf6e639f5b8f22fea8e12afe6f8cc9e7d8023120fe70ae81facb

memory/2616-59-0x0000000002670000-0x00000000036FE000-memory.dmp

memory/2616-60-0x0000000002670000-0x00000000036FE000-memory.dmp

memory/2616-64-0x0000000002670000-0x00000000036FE000-memory.dmp

memory/2616-69-0x0000000000240000-0x0000000000242000-memory.dmp

memory/2616-71-0x0000000000240000-0x0000000000242000-memory.dmp

memory/2616-68-0x0000000002670000-0x00000000036FE000-memory.dmp

memory/2616-78-0x00000000044D0000-0x000000000451B000-memory.dmp

memory/2616-73-0x0000000002670000-0x00000000036FE000-memory.dmp

memory/2616-74-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2616-89-0x0000000000240000-0x0000000000242000-memory.dmp

memory/2616-85-0x0000000002670000-0x00000000036FE000-memory.dmp

memory/2616-96-0x0000000000400000-0x000000000044B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 06:18

Reported

2024-02-29 06:21

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

150s

Command Line

"dwm.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS Service Manager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idemoodp0cetka.exe" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Service Manager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idemoodp0cetka.exe" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\system32\fontdrvhost.exe
PID 1432 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\system32\fontdrvhost.exe
PID 1432 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\system32\dwm.exe
PID 1432 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\system32\sihost.exe
PID 1432 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\system32\taskhostw.exe
PID 1432 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\Explorer.EXE
PID 1432 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\system32\svchost.exe
PID 1432 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\system32\DllHost.exe
PID 1432 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1432 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\System32\RuntimeBroker.exe
PID 1432 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1432 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\System32\RuntimeBroker.exe
PID 1432 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1432 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\System32\RuntimeBroker.exe
PID 1432 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1432 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1432 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1432 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe
PID 1432 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe
PID 1432 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe
PID 1432 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe
PID 1432 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe
PID 1432 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe
PID 1432 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe
PID 1432 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe
PID 1324 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 1324 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 1324 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 4760 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\system32\fontdrvhost.exe
PID 4760 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\system32\fontdrvhost.exe
PID 4760 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\system32\dwm.exe
PID 4760 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\system32\sihost.exe
PID 4760 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\system32\svchost.exe
PID 4760 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\system32\taskhostw.exe
PID 4760 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\Explorer.EXE
PID 4760 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\system32\svchost.exe
PID 4760 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\system32\DllHost.exe
PID 4760 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4760 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\System32\RuntimeBroker.exe
PID 4760 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4760 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\System32\RuntimeBroker.exe
PID 4760 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4760 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\System32\RuntimeBroker.exe
PID 4760 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4760 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4760 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4760 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe
PID 4760 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\System32\RuntimeBroker.exe
PID 4760 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Windows\System32\RuntimeBroker.exe
PID 4760 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 4760 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 4760 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 4760 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 4760 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 4760 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 4760 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
PID 4760 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe N/A

Processes

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe

"C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe

"C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe

"C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe"

C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe

"C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 urcdw.zavoddebila.com udp
US 8.8.8.8:53 fghfg.translate-google-cache.com udp
US 199.2.137.20:33333 fghfg.translate-google-cache.com tcp
US 8.8.8.8:53 20.137.2.199.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 milkyway.3utilities.com udp
US 204.95.99.109:33333 milkyway.3utilities.com tcp
US 8.8.8.8:53 109.99.95.204.in-addr.arpa udp
US 8.8.8.8:53 urcdw.zavoddebila.com udp
US 199.2.137.20:33333 fghfg.translate-google-cache.com tcp
US 204.95.99.109:33333 milkyway.3utilities.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 urcdw.zavoddebila.com udp
US 199.2.137.20:33333 fghfg.translate-google-cache.com tcp
US 204.95.99.109:33333 milkyway.3utilities.com tcp

Files

memory/1432-0-0x0000000000400000-0x000000000044B000-memory.dmp

memory/1432-1-0x0000000002AD0000-0x0000000003B5E000-memory.dmp

memory/1432-4-0x0000000002AD0000-0x0000000003B5E000-memory.dmp

memory/1432-6-0x0000000002170000-0x0000000002172000-memory.dmp

memory/1432-7-0x0000000002AD0000-0x0000000003B5E000-memory.dmp

memory/1432-8-0x0000000002190000-0x0000000002191000-memory.dmp

memory/1432-10-0x0000000002170000-0x0000000002172000-memory.dmp

memory/1432-11-0x0000000002AD0000-0x0000000003B5E000-memory.dmp

memory/1432-12-0x0000000002AD0000-0x0000000003B5E000-memory.dmp

memory/1432-13-0x0000000002AD0000-0x0000000003B5E000-memory.dmp

memory/1324-14-0x0000000000400000-0x000000000040D000-memory.dmp

memory/1324-16-0x0000000000400000-0x000000000040D000-memory.dmp

memory/1432-20-0x0000000002170000-0x0000000002172000-memory.dmp

memory/1432-26-0x0000000000400000-0x000000000044B000-memory.dmp

memory/1324-25-0x0000000000400000-0x000000000040D000-memory.dmp

memory/1432-18-0x0000000002AD0000-0x0000000003B5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe

MD5 ade2a2059d92f988de05067fd44491ef
SHA1 6d393613db4d16a60d9d9478cc7fb21142229284
SHA256 75074c9368cf924de049bcc3e4a3cce7bbc7a2b721aa66a353a68528abba9fb0
SHA512 5b97929997037497700b15a9a44fce02a228ec49539e7f69a222239877de6342f2ed7ad6927e82556005125982abaf4ee18b5ed9faa260c200e5ffda2838f464

memory/4760-32-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

memory/4760-35-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

memory/1324-36-0x0000000000400000-0x000000000040D000-memory.dmp

memory/4760-37-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

memory/4760-42-0x0000000002240000-0x0000000002241000-memory.dmp

memory/4760-40-0x00000000021F0000-0x00000000021F2000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 b32cb20bda59bb9d5d1756c596c4ac82
SHA1 2a633939bbac09f5114167f93b574f1de31aded5
SHA256 b6a616ca3e553b0cc7bed801d9bf6fc8bc26c3fdc97fdda6781b1d13e37723eb
SHA512 159d71a0249fef9b0fbc9689218fff888efa5e99900e6c8c1c49743383a3b17a4a3981a7eff7c7819e92591a7361f06f0eb5ec1965f840503de5297715621310

memory/4760-43-0x00000000021F0000-0x00000000021F2000-memory.dmp

memory/4760-41-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

memory/4760-44-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

memory/4760-45-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

memory/4760-47-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

memory/2604-51-0x0000000000400000-0x000000000040D000-memory.dmp

memory/4760-54-0x00000000021F0000-0x00000000021F2000-memory.dmp

memory/4760-50-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

memory/2604-61-0x0000000000400000-0x000000000040D000-memory.dmp

memory/4760-63-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2604-64-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2604-66-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2604-67-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2604-68-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2604-69-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2604-70-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2604-71-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2604-72-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2604-73-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2604-74-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2604-75-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2604-76-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2604-77-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2604-78-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2604-79-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2604-80-0x0000000000400000-0x000000000040D000-memory.dmp