Malware Analysis Report

2024-09-11 12:59

Sample ID 240613-3pmhdawble
Target 66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b
SHA256 66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b
Tags
sality backdoor bootkit evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b

Threat Level: Known bad

The file 66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b was found to be: Known bad.

Malicious Activity Summary

sality backdoor bootkit evasion persistence trojan upx

Windows security bypass

UAC bypass

Sality

Modifies firewall policy service

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Executes dropped EXE

Drops startup file

Loads dropped DLL

Windows security modification

UPX packed file

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 23:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 23:41

Reported

2024-06-13 23:44

Platform

win7-20240611-en

Max time kernel

118s

Max time network

119s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BFA1C7.lnk C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\70B97F\shell.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\krnln.fnr C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\spec.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\EBFA1C\A1C7046D.TXT C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\EBFA1C C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\dp1.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\70B97F\com.run C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\EBFA1C\A1C7046D.TXT C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\70B97F\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\internet.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\70B97F\BFA1C7.EXE C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\497A92\7fe4.EDT C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\70B97F\shell.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\497A92\d170.inf C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\497A92\7fe4.EDT C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\497A92\d170.inf C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File created C:\Windows\SysWOW64\70B97F\krnln.fnr C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\70B97F\spec.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\70B97F\spec_a.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\com.run C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\A92EFF C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\497A92 C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\497A92\7fe4.inf C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\70B97F\eAPI.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\70B97F\internet.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\497A92\7fe4.edt C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File created C:\Windows\SysWOW64\70B97F\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\70B97F\dp1.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\70B97F\eAPI.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\BFA1C7.EXE C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\497A92\7fe4.inf C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\70B97F\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Windows\explorer.exe N/A
File created C:\Windows\f760e53 C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\SysWOW64\explorer.exe
PID 2108 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\SysWOW64\explorer.exe
PID 2108 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\SysWOW64\explorer.exe
PID 2108 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\SysWOW64\explorer.exe
PID 2108 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\system32\taskhost.exe
PID 2108 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\system32\Dwm.exe
PID 2108 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\Explorer.EXE
PID 2108 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\system32\DllHost.exe
PID 2108 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\SysWOW64\explorer.exe
PID 2108 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\SysWOW64\explorer.exe
PID 2108 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\SysWOW64\70B97F\BFA1C7.EXE
PID 2108 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\SysWOW64\70B97F\BFA1C7.EXE
PID 2108 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\SysWOW64\70B97F\BFA1C7.EXE
PID 2108 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\SysWOW64\70B97F\BFA1C7.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe

"C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe"

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SysWOW64\70B97F\BFA1C7.EXE

C:\Windows\system32\70B97F\BFA1C7.EXE

Network

N/A

Files

memory/2108-0-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2108-9-0x0000000001E00000-0x0000000002EBA000-memory.dmp

\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

MD5 21b8f5c5d1135bf5ad8c78e0995b3a41
SHA1 1f2a75443a9e3b09e0f3752c0b7d5ac0149a9967
SHA256 7aaeb340bae471fc7a7031a593a04fabb21f71c5decf197765d0402e1f47bfad
SHA512 cf517c80132498e0d27971b13c3f15e6ea20bc6dcab3367a500a87ec0320f31eca78a722da74d8046084cc7b998246ffdd992a8f22938a73b0241b2837bdbe2d

memory/2108-12-0x0000000010000000-0x000000001011D000-memory.dmp

memory/2108-15-0x0000000001E00000-0x0000000002EBA000-memory.dmp

memory/2108-16-0x0000000001E00000-0x0000000002EBA000-memory.dmp

memory/3044-39-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/2108-44-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/3044-43-0x0000000000080000-0x0000000000082000-memory.dmp

memory/2108-22-0x0000000001E00000-0x0000000002EBA000-memory.dmp

memory/2108-41-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/2108-21-0x0000000001E00000-0x0000000002EBA000-memory.dmp

memory/2108-20-0x0000000001E00000-0x0000000002EBA000-memory.dmp

memory/3044-40-0x0000000000080000-0x0000000000082000-memory.dmp

memory/2108-35-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2108-33-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2108-32-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/1108-23-0x0000000000410000-0x0000000000412000-memory.dmp

memory/2108-19-0x0000000001E00000-0x0000000002EBA000-memory.dmp

memory/2108-17-0x0000000001E00000-0x0000000002EBA000-memory.dmp

memory/2108-18-0x0000000001E00000-0x0000000002EBA000-memory.dmp

memory/2108-14-0x0000000001E00000-0x0000000002EBA000-memory.dmp

C:\Windows\SysWOW64\70B97F\shell.fne

MD5 92b6b3570cb71d7e5f4b1dc3d1f57166
SHA1 0ae55c6ccc0d08e06a14c2e157740818c72c3242
SHA256 4b65533c195c953b523f8aba873f3a9972eaf0682e0d2594b81ae3be6942185a
SHA512 7b8c638e1ceac40a78c6a348c04bbe5ad21246175709a1b51f782d11fe36baebc8e95c51a1b7b57178678cd45d14a145d397d2ce761eefeae783ebb27cdabb0f

C:\Windows\SysWOW64\70B97F\dp1.fne

MD5 f1126e3c472038e3a1c13c66016c488b
SHA1 9fb3e54bcf048f890e1c3ee5ed29c3356af00bc2
SHA256 9a8e63f8b65a7a4f5ab740dae3be24ac4c40199014c13142aabe65c38c720b8f
SHA512 d1158bc493021d6a7c675a1d9c992736f803cbe68cfd2f7fd2f7035560d1d3e5dfa1ad656e42bfef774d4fac1c22ed947f057866df62abac37cd5d760e513c1f

memory/2548-61-0x0000000003D10000-0x0000000003D20000-memory.dmp

memory/2108-57-0x0000000003070000-0x000000000308E000-memory.dmp

memory/2108-56-0x0000000002FC0000-0x0000000002FD1000-memory.dmp

memory/2108-74-0x0000000001E00000-0x0000000002EBA000-memory.dmp

memory/2108-75-0x0000000001E00000-0x0000000002EBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

MD5 907d0bf6f4e14f166761722d5d5b8994
SHA1 0c969bbd04d542897bc7d5b2744d17e642a70aa8
SHA256 d25b055db62d94c6bb40c92e7152f10b1c8439f299adb49234b05ec0493c6420
SHA512 b6169ab78592117188ae6b90c6a647793cd185f26764da99071e857ff194a3404a2e0b8f11ba224687b764cb937286068b7304edfa63275ba1adb3670c735307

C:\Windows\SysWOW64\70B97F\BFA1C7.EXE

MD5 0413553d89a26619ac83c262d9a82369
SHA1 a5c9078b28a36307327c4ad5c8c533c6be6847ac
SHA256 db46bfc50cd235de51a27f53bd1c932858d77f7ebac5aafa236bad45f968519f
SHA512 f38f47899579e59a6349559ec39b394db6aad39e6a622e2b3f0110344f1eff4266c0595c6a69e9d59ebae4ae97d9c660a3895f3db10dcdb707e7ad12ddb29c23

memory/1852-101-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1852-106-0x00000000001B0000-0x00000000001FA000-memory.dmp

\Windows\SysWOW64\70B97F\com.run

MD5 ce2f773275d3fe8b78f4cf067d5e6a0f
SHA1 b7135e34d46eb4303147492d5cee5e1ef7b392ab
SHA256 eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d
SHA512 d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

memory/1852-104-0x0000000010000000-0x000000001011D000-memory.dmp

memory/1852-124-0x0000000001D60000-0x0000000001D7E000-memory.dmp

memory/1852-126-0x0000000001E30000-0x0000000001E8E000-memory.dmp

\Windows\SysWOW64\70B97F\eAPI.fne

MD5 aafcfb3f75a8d881dd1b43826ac8135f
SHA1 d8e36a21ce1422f22e992be1ad2fe58aae1d191b
SHA256 65822e872d3c3280942149eb460b1a256e2b77dfd322b98293334708040fa264
SHA512 ea257d1a30202da1662dd711ff0f0980cc9ab9ab2a11842fb1e6c4b379bfa9111d7118fbc4733d2910b2fc569f27bd9cdb2c01d87041b102e751e0655a132d8d

memory/1852-123-0x0000000000590000-0x00000000005A1000-memory.dmp

memory/2108-122-0x0000000001E00000-0x0000000002EBA000-memory.dmp

memory/2108-100-0x0000000004380000-0x000000000439F000-memory.dmp

memory/2108-84-0x0000000004220000-0x0000000004235000-memory.dmp

memory/2108-142-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1852-148-0x0000000001F50000-0x0000000001F60000-memory.dmp

memory/2108-141-0x0000000010000000-0x000000001011D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 23:41

Reported

2024-06-13 23:44

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

152s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BFA1C7.lnk C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\70B97F\krnln.fnr C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\shell.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\70B97F\com.run C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\497A92\7fe4.EDT C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\70B97F\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\70B97F\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\70B97F\shell.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\EBFA1C\A1C7046D.TXT C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\A92EFF C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\497A92\d170.inf C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File created C:\Windows\SysWOW64\497A92\d170.inf C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\EBFA1C C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\krnln.fnr C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\70B97F\internet.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\70B97F\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\70B97F\spec.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\497A92\7fe4.EDT C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\70B97F\dp1.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\70B97F\spec_a.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\spec.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\70B97F\BFA1C7.EXE C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\497A92\7fe4.inf C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\EBFA1C\A1C7046D.TXT C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\SysWOW64\70B97F\eAPI.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\497A92 C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\497A92\7fe4.inf C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\497A92\7fe4.edt C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File created C:\Windows\SysWOW64\70B97F\dp1.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\BFA1C7.EXE C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\internet.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\com.run C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\eAPI.fne C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
File created C:\Windows\e573f4b C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4332 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\system32\fontdrvhost.exe
PID 4332 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\system32\fontdrvhost.exe
PID 4332 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\system32\dwm.exe
PID 4332 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\system32\sihost.exe
PID 4332 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\system32\svchost.exe
PID 4332 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\system32\taskhostw.exe
PID 4332 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\Explorer.EXE
PID 4332 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\system32\svchost.exe
PID 4332 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\system32\DllHost.exe
PID 4332 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4332 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\System32\RuntimeBroker.exe
PID 4332 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4332 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\System32\RuntimeBroker.exe
PID 4332 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4332 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\System32\RuntimeBroker.exe
PID 4332 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4332 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4332 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\SysWOW64\explorer.exe
PID 4332 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\SysWOW64\explorer.exe
PID 4332 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\SysWOW64\explorer.exe
PID 4332 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\SysWOW64\70B97F\BFA1C7.EXE
PID 4332 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\SysWOW64\70B97F\BFA1C7.EXE
PID 4332 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe C:\Windows\SysWOW64\70B97F\BFA1C7.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe

"C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b.exe"

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\66d5285da8997cac648284ddf675860b314b328f5bd503cfe37a66263cd3424b

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SysWOW64\70B97F\BFA1C7.EXE

C:\Windows\system32\70B97F\BFA1C7.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/4332-0-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4332-3-0x0000000002200000-0x00000000032BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

MD5 21b8f5c5d1135bf5ad8c78e0995b3a41
SHA1 1f2a75443a9e3b09e0f3752c0b7d5ac0149a9967
SHA256 7aaeb340bae471fc7a7031a593a04fabb21f71c5decf197765d0402e1f47bfad
SHA512 cf517c80132498e0d27971b13c3f15e6ea20bc6dcab3367a500a87ec0320f31eca78a722da74d8046084cc7b998246ffdd992a8f22938a73b0241b2837bdbe2d

memory/4332-16-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/4332-4-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/4332-1-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/4332-19-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/4332-5-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/4332-18-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/4332-32-0x0000000003C00000-0x0000000003C02000-memory.dmp

memory/4332-31-0x0000000002200000-0x00000000032BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

MD5 92b6b3570cb71d7e5f4b1dc3d1f57166
SHA1 0ae55c6ccc0d08e06a14c2e157740818c72c3242
SHA256 4b65533c195c953b523f8aba873f3a9972eaf0682e0d2594b81ae3be6942185a
SHA512 7b8c638e1ceac40a78c6a348c04bbe5ad21246175709a1b51f782d11fe36baebc8e95c51a1b7b57178678cd45d14a145d397d2ce761eefeae783ebb27cdabb0f

memory/4332-64-0x0000000004850000-0x000000000486E000-memory.dmp

memory/4332-63-0x0000000004830000-0x0000000004841000-memory.dmp

C:\Windows\SysWOW64\70B97F\eAPI.fne

MD5 aafcfb3f75a8d881dd1b43826ac8135f
SHA1 d8e36a21ce1422f22e992be1ad2fe58aae1d191b
SHA256 65822e872d3c3280942149eb460b1a256e2b77dfd322b98293334708040fa264
SHA512 ea257d1a30202da1662dd711ff0f0980cc9ab9ab2a11842fb1e6c4b379bfa9111d7118fbc4733d2910b2fc569f27bd9cdb2c01d87041b102e751e0655a132d8d

C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

MD5 f1126e3c472038e3a1c13c66016c488b
SHA1 9fb3e54bcf048f890e1c3ee5ed29c3356af00bc2
SHA256 9a8e63f8b65a7a4f5ab740dae3be24ac4c40199014c13142aabe65c38c720b8f
SHA512 d1158bc493021d6a7c675a1d9c992736f803cbe68cfd2f7fd2f7035560d1d3e5dfa1ad656e42bfef774d4fac1c22ed947f057866df62abac37cd5d760e513c1f

C:\Windows\SysWOW64\70B97F\cnvpe.fne

MD5 907d0bf6f4e14f166761722d5d5b8994
SHA1 0c969bbd04d542897bc7d5b2744d17e642a70aa8
SHA256 d25b055db62d94c6bb40c92e7152f10b1c8439f299adb49234b05ec0493c6420
SHA512 b6169ab78592117188ae6b90c6a647793cd185f26764da99071e857ff194a3404a2e0b8f11ba224687b764cb937286068b7304edfa63275ba1adb3670c735307

memory/4332-28-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/4332-30-0x0000000003C00000-0x0000000003C02000-memory.dmp

memory/4332-29-0x0000000010000000-0x000000001011D000-memory.dmp

memory/4332-27-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/4332-17-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/4332-21-0x0000000003C10000-0x0000000003C11000-memory.dmp

memory/4332-20-0x0000000003C00000-0x0000000003C02000-memory.dmp

memory/4332-83-0x00000000048B0000-0x00000000048C5000-memory.dmp

memory/2364-88-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2364-92-0x0000000010000000-0x000000001011D000-memory.dmp

memory/4332-68-0x0000000002200000-0x00000000032BA000-memory.dmp

C:\Windows\SysWOW64\70B97F\BFA1C7.EXE

MD5 0413553d89a26619ac83c262d9a82369
SHA1 a5c9078b28a36307327c4ad5c8c533c6be6847ac
SHA256 db46bfc50cd235de51a27f53bd1c932858d77f7ebac5aafa236bad45f968519f
SHA512 f38f47899579e59a6349559ec39b394db6aad39e6a622e2b3f0110344f1eff4266c0595c6a69e9d59ebae4ae97d9c660a3895f3db10dcdb707e7ad12ddb29c23

memory/2364-96-0x0000000002380000-0x00000000023CA000-memory.dmp

C:\Windows\SysWOW64\70B97F\com.run

MD5 ce2f773275d3fe8b78f4cf067d5e6a0f
SHA1 b7135e34d46eb4303147492d5cee5e1ef7b392ab
SHA256 eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d
SHA512 d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

memory/4332-74-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/4332-98-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/4332-107-0x0000000002200000-0x00000000032BA000-memory.dmp

memory/4332-114-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4332-115-0x0000000010000000-0x000000001011D000-memory.dmp

memory/2364-125-0x0000000002D80000-0x0000000002D9E000-memory.dmp

memory/2364-123-0x0000000002D80000-0x0000000002D9E000-memory.dmp

memory/2364-120-0x0000000002D60000-0x0000000002D71000-memory.dmp

memory/2364-137-0x0000000003100000-0x000000000315E000-memory.dmp