Malware Analysis Report

2024-09-11 12:22

Sample ID 240614-3njebs1cne
Target 8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e
SHA256 8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e
Tags
sality backdoor evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e

Threat Level: Known bad

The file 8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion persistence trojan upx

Modifies visibility of file extensions in Explorer

Windows security bypass

UAC bypass

Modifies visiblity of hidden/system files in Explorer

Modifies firewall policy service

Sality

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

Windows security modification

Loads dropped DLL

Deletes itself

Executes dropped EXE

UPX packed file

Enumerates connected drives

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 23:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 23:39

Reported

2024-06-14 23:42

Platform

win7-20240220-en

Max time kernel

31s

Max time network

121s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 840 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\system32\taskhost.exe
PID 840 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\system32\Dwm.exe
PID 840 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\Explorer.EXE
PID 840 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\system32\DllHost.exe
PID 840 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 840 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 840 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 840 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 840 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 840 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 840 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2768 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\taskhost.exe
PID 2768 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\Dwm.exe
PID 2768 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\Explorer.EXE
PID 2768 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\taskhost.exe
PID 2768 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\Dwm.exe
PID 2768 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe

"C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

Network

N/A

Files

memory/840-0-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/840-1-0x0000000002650000-0x00000000036DE000-memory.dmp

memory/840-3-0x0000000002650000-0x00000000036DE000-memory.dmp

memory/840-4-0x0000000002650000-0x00000000036DE000-memory.dmp

memory/840-7-0x0000000002650000-0x00000000036DE000-memory.dmp

memory/840-8-0x0000000002650000-0x00000000036DE000-memory.dmp

memory/840-10-0x0000000002650000-0x00000000036DE000-memory.dmp

memory/840-13-0x0000000002650000-0x00000000036DE000-memory.dmp

memory/840-14-0x0000000002650000-0x00000000036DE000-memory.dmp

memory/840-12-0x0000000002650000-0x00000000036DE000-memory.dmp

memory/840-11-0x0000000002650000-0x00000000036DE000-memory.dmp

memory/840-15-0x0000000002650000-0x00000000036DE000-memory.dmp

memory/840-28-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/840-29-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/840-27-0x0000000000980000-0x0000000000981000-memory.dmp

memory/840-25-0x0000000000980000-0x0000000000981000-memory.dmp

memory/840-24-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/1096-16-0x0000000000390000-0x0000000000392000-memory.dmp

memory/840-30-0x0000000002650000-0x00000000036DE000-memory.dmp

memory/840-33-0x0000000002650000-0x00000000036DE000-memory.dmp

memory/840-39-0x0000000009340000-0x0000000009400000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

MD5 07f3e3a39135628f5fd5cbbefd4afe2a
SHA1 6c14af8f147b40d167b0978a631e6780744bb0f9
SHA256 8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e
SHA512 c91034d675509738b11eca44b1053872c3e221e4cb8337320a14fd91baeea17546b3355af811808557a2b96af15a79322d237a4c8384d8ebf5f6c886ad9c5cb3

C:\Users\Admin\AppData\Local\Temp\0F761F44_Rar\rundll32.exe

MD5 8ca8216260b4f5e0d6e1132e49d1d25a
SHA1 c7ce0406001fb3eaaf82c5ad33945f01f0dddc11
SHA256 ddc806307ec3d800851db6c617343cad0a5e9af8dafe867b6dc2f33dd528cf64
SHA512 0644472c924acb7ae9c8f4b3222e5b2d3a95a9346587a104e437ab0d0c832b05fd153d7450e6d5f5f7d685be9b222712c2c6d869c05acd7efc89f63e83e29a33

memory/840-54-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/840-34-0x0000000002650000-0x00000000036DE000-memory.dmp

memory/2768-63-0x0000000003A70000-0x0000000004AFE000-memory.dmp

memory/2768-59-0x0000000003A70000-0x0000000004AFE000-memory.dmp

memory/2768-67-0x0000000003A70000-0x0000000004AFE000-memory.dmp

memory/2768-64-0x0000000003A70000-0x0000000004AFE000-memory.dmp

memory/2768-68-0x0000000003A70000-0x0000000004AFE000-memory.dmp

memory/2768-82-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2768-80-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2768-66-0x0000000003A70000-0x0000000004AFE000-memory.dmp

memory/2768-79-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2768-61-0x0000000003A70000-0x0000000004AFE000-memory.dmp

memory/2768-62-0x0000000003A70000-0x0000000004AFE000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 6a96bbd5e4738b9499d8cdaaa84dead3
SHA1 e18178a80ebd9f0a231fffe137bcae791d1142ff
SHA256 ed86a20fe51983b85e94953dd3a653f1eff1100a027899a0ac498df340d998b3
SHA512 f20c26482a7f6b5e89d2882013fa947107d0649653a9b5517d57a9617e76349cbeff0824461ddf543de0e480a22c0707f1e9c6c851c245d263f91862dc0e5a1d

memory/2768-65-0x0000000003A70000-0x0000000004AFE000-memory.dmp

memory/2768-86-0x0000000003A70000-0x0000000004AFE000-memory.dmp

memory/2768-85-0x0000000003A70000-0x0000000004AFE000-memory.dmp

memory/2768-131-0x0000000003A70000-0x0000000004AFE000-memory.dmp

memory/2768-138-0x00000000001E0000-0x00000000001E2000-memory.dmp

C:\axcrp.exe

MD5 3af4e2bee8a8a4153b83d0fd8b7063f1
SHA1 440c5918cf9f55975af7d6dc988f980cda49ce81
SHA256 bb77c8922826e68cecf80cb6be7f2136baf60e2849d5b8e93ad627e2a39fade7
SHA512 72095fc6fc93eb3ebbf51b530ecb8bf4911b4e3f9c0374e8f7b05b8dfac75bd7db0100703e05aabe2f560c6e23553ad90b4e6ab3a38b856d5c1a66068fcd8e4e

memory/2768-213-0x0000000003A70000-0x0000000003AFD000-memory.dmp

memory/2768-212-0x0000000000400000-0x00000000004C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 23:39

Reported

2024-06-14 23:42

Platform

win10v2004-20240611-en

Max time kernel

33s

Max time network

97s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\system32\fontdrvhost.exe
PID 2124 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\system32\fontdrvhost.exe
PID 2124 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\system32\dwm.exe
PID 2124 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\system32\sihost.exe
PID 2124 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\system32\svchost.exe
PID 2124 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\system32\taskhostw.exe
PID 2124 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\Explorer.EXE
PID 2124 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\system32\svchost.exe
PID 2124 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\system32\DllHost.exe
PID 2124 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2124 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\System32\RuntimeBroker.exe
PID 2124 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2124 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\System32\RuntimeBroker.exe
PID 2124 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\System32\RuntimeBroker.exe
PID 2124 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2124 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2124 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2124 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2124 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2124 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 5076 wrote to memory of 788 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 5076 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 5076 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\dwm.exe
PID 5076 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\sihost.exe
PID 5076 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 5076 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\taskhostw.exe
PID 5076 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\Explorer.EXE
PID 5076 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 5076 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\DllHost.exe
PID 5076 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 5076 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 5076 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 5076 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 5076 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 5076 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 5076 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\backgroundTaskHost.exe
PID 5076 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 5076 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 5076 wrote to memory of 788 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 5076 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 5076 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\dwm.exe
PID 5076 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\sihost.exe
PID 5076 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 5076 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\taskhostw.exe
PID 5076 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\Explorer.EXE
PID 5076 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 5076 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\DllHost.exe
PID 5076 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 5076 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 5076 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 5076 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 5076 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 5076 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 5076 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\backgroundTaskHost.exe
PID 5076 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 5076 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe

"C:\Users\Admin\AppData\Local\Temp\8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.113:443 www.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
BE 2.17.107.113:443 www.bing.com tcp
US 8.8.8.8:53 113.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 137.126.19.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

memory/2124-0-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/2124-1-0x0000000003320000-0x00000000043AE000-memory.dmp

memory/2124-10-0x0000000003320000-0x00000000043AE000-memory.dmp

memory/2124-11-0x0000000003320000-0x00000000043AE000-memory.dmp

memory/2124-6-0x0000000003320000-0x00000000043AE000-memory.dmp

memory/2124-5-0x0000000003320000-0x00000000043AE000-memory.dmp

memory/2124-4-0x0000000003320000-0x00000000043AE000-memory.dmp

memory/2124-12-0x0000000003320000-0x00000000043AE000-memory.dmp

memory/2124-14-0x0000000003320000-0x00000000043AE000-memory.dmp

memory/2124-17-0x00000000086F0000-0x00000000086F2000-memory.dmp

memory/2124-16-0x0000000008B40000-0x0000000008B41000-memory.dmp

memory/2124-15-0x00000000086F0000-0x00000000086F2000-memory.dmp

memory/2124-13-0x0000000003320000-0x00000000043AE000-memory.dmp

memory/2124-19-0x00000000086F0000-0x00000000086F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

MD5 07f3e3a39135628f5fd5cbbefd4afe2a
SHA1 6c14af8f147b40d167b0978a631e6780744bb0f9
SHA256 8ced8216fcf0e2813bc80a48eadc38456a93ab1a1acc7203061e95e1d962a79e
SHA512 c91034d675509738b11eca44b1053872c3e221e4cb8337320a14fd91baeea17546b3355af811808557a2b96af15a79322d237a4c8384d8ebf5f6c886ad9c5cb3

memory/2124-40-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/2124-21-0x0000000003320000-0x00000000043AE000-memory.dmp

memory/2124-29-0x0000000003320000-0x00000000043AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0E574CA9_Rar\rundll32.exe

MD5 8ca8216260b4f5e0d6e1132e49d1d25a
SHA1 c7ce0406001fb3eaaf82c5ad33945f01f0dddc11
SHA256 ddc806307ec3d800851db6c617343cad0a5e9af8dafe867b6dc2f33dd528cf64
SHA512 0644472c924acb7ae9c8f4b3222e5b2d3a95a9346587a104e437ab0d0c832b05fd153d7450e6d5f5f7d685be9b222712c2c6d869c05acd7efc89f63e83e29a33

C:\Windows\SYSTEM.INI

MD5 be3ef2c590b9ab91391436cd427e5814
SHA1 7a8ef699254b221acb28abbb525b30fd66adcd48
SHA256 c7845cc725a580801336935b61110bb39f278e84bbd32b9dc5a525bc2dd29d98
SHA512 9ad76342724d2f6da8a27838e08eb060e25afbe0f35bd64108bb448ed7f666c38fd52f4a557b52ec41db73cc065fa640dfbdd92fba774d6e13d52721b7316085

memory/5076-44-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-52-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-57-0x0000000000A20000-0x0000000000A22000-memory.dmp

memory/5076-58-0x0000000000A20000-0x0000000000A22000-memory.dmp

memory/5076-53-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-56-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-50-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-51-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-49-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-55-0x0000000002F60000-0x0000000002F61000-memory.dmp

memory/5076-46-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-48-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-47-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-59-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-60-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-63-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-65-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-64-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-67-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-68-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-69-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-71-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-73-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-74-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-75-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-77-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-80-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-86-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-88-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-89-0x0000000004F70000-0x0000000005FFE000-memory.dmp

C:\wfyp.exe

MD5 f00d36ab8764e390a22a82c4e9496ce2
SHA1 3cafda4329b2098444af3113840242662d60beac
SHA256 e7bc4bab2580872f02435654789b05b468758e986e08fd4f4d0748071a3db9ee
SHA512 6395259cf974cdcba58ee1d373cd444d8502033cb8b5d097af454a052c82a276e9752c01d060fab82e7fd1f126cb9867f8dfceecff9779608e1120f29d768788

memory/5076-123-0x0000000004F70000-0x0000000005FFE000-memory.dmp

memory/5076-124-0x0000000000A20000-0x0000000000A22000-memory.dmp

memory/5076-140-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/5076-141-0x0000000004F70000-0x0000000005FFE000-memory.dmp