Analysis Overview
SHA256
8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea
Threat Level: Known bad
The file 8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
UAC bypass
Modifies firewall policy service
Sality
UPX dump on OEP (original entry point)
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
Loads dropped DLL
Executes dropped EXE
UPX packed file
Windows security modification
Checks whether UAC is enabled
Enumerates connected drives
Drops autorun.inf file
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
System policy modification
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 00:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 00:44
Reported
2024-06-14 00:46
Platform
win7-20240611-en
Max time kernel
123s
Max time network
125s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
Sality
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\817ccc52627cbda00165\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| N/A | N/A | \??\c:\817ccc52627cbda00165\Setup.exe | N/A |
| N/A | N/A | \??\c:\817ccc52627cbda00165\Setup.exe | N/A |
| N/A | N/A | \??\c:\817ccc52627cbda00165\Setup.exe | N/A |
| N/A | N/A | \??\c:\817ccc52627cbda00165\Setup.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRAM FILES\7-ZIP\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\7-ZIP\7zG.exe | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\7-ZIP\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\7-ZIP\7z.exe | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\817ccc52627cbda00165\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\817ccc52627cbda00165\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\817ccc52627cbda00165\Setup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe
"C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe"
\??\c:\817ccc52627cbda00165\Setup.exe
c:\817ccc52627cbda00165\Setup.exe
Network
Files
memory/2420-1-0x0000000001000000-0x00000000018BA000-memory.dmp
memory/2420-0-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-5-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-7-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-8-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-13-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-25-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/2420-24-0x00000000003B0000-0x00000000003B2000-memory.dmp
memory/2420-14-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-44-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/1100-17-0x0000000001CA0000-0x0000000001CA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0F7656B8_Rar\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe
| MD5 | 1801436936e64598bab5b87b37dc7f87 |
| SHA1 | 28c54491be70c38c97849c3d8cfbfdd0d3c515cb |
| SHA256 | 67313b3d1bc86e83091e8de22981f14968f1a7fb12eb7ad467754c40cd94cc3d |
| SHA512 | 0b8f20b0f171f49eb49367f1aafa7101e1575ef055d7007197c21ab8fe8d75a966569444449858c31bd147357d2bf5a5bd623fe6c4dbabdc7d16999b3256ab8c |
memory/2420-11-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-9-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-12-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-10-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-72-0x00000000003B0000-0x00000000003B2000-memory.dmp
memory/2420-71-0x00000000003B0000-0x00000000003B2000-memory.dmp
\817ccc52627cbda00165\Setup.exe
| MD5 | 2af2c1a78542975b12282aca4300d515 |
| SHA1 | 3216c853ed82e41dfbeb6ca48855fdcd41478507 |
| SHA256 | 531eb45798728cb741043b28b8c1a4f75536dc75f92d100f55f9109d2d63f0d7 |
| SHA512 | 4a70bd4b542f6001e46f827f341676c34af1ea216c50ad981dd04f547cd67f73aaa420fcbed379dc05dab199bf5ba00d899c49ff75da577613209f96226227eb |
memory/2420-101-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
\??\c:\817ccc52627cbda00165\SetupEngine.dll
| MD5 | 63e7901d4fa7ac7766076720272060d0 |
| SHA1 | 72dec0e4e12255d98ccd49937923c7b5590bbfac |
| SHA256 | a5116ccb17b242713e5645c2374abf5827c0d2752b31553e3540c9123812e952 |
| SHA512 | de2e63bc090121484191cbf23194361d761b01c0fd332f35f0dfdfd0b11431b529e5c7f542031a0e7e26f31497d94b8baacfbf1c84c6493e66ac2ab76c11d0a0 |
memory/2420-104-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
\817ccc52627cbda00165\sqmapi.dll
| MD5 | 3f0363b40376047eff6a9b97d633b750 |
| SHA1 | 4eaf6650eca5ce931ee771181b04263c536a948b |
| SHA256 | bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c |
| SHA512 | 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8 |
memory/2420-112-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
\??\c:\817ccc52627cbda00165\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\Users\Admin\AppData\Local\Temp\HFI5F21.tmp.html
| MD5 | 313b037ecb951802cff517364623973f |
| SHA1 | a4e4c73f13609d669c826772f0fd7473877901a0 |
| SHA256 | e7a575632732841fc236112c73918f515b098ea279d3c38f36393f1bcf49b788 |
| SHA512 | 6ed040b7b3b7c3423d73dcc1f8d660e3de444c654d6426172f524359656a6b291413e94da46602d84f450c8b26cd8c3e03b1db9ae9b5f68637c3ddc6426c170d |
\??\c:\817ccc52627cbda00165\UiInfo.xml
| MD5 | 4f90fcef3836f5fc49426ad9938a1c60 |
| SHA1 | 89eba3b81982d5d5c457ffa7a7096284a10de64a |
| SHA256 | 66a0299ce7ee12dd9fc2cfead3c3211e59bfb54d6c0627d044d44cef6e70367b |
| SHA512 | 4ce2731c1d32d7ca3a4f644f4b3111f06223de96c1e241fcc86f5fe665f4db18c8a241dae4e8a7e278d6afbf91b235a2c3517a40d4d22d9866880e19a7221160 |
\??\c:\817ccc52627cbda00165\ParameterInfo.xml
| MD5 | 13f8768c289476fdd103ff689d73cd2d |
| SHA1 | ddebcecc02c6b1b996423d62d0def8760f031f58 |
| SHA256 | 4eae293ca91b31aaa206e5a1c655714f0fe84e39f9331cb759d2236cdb915523 |
| SHA512 | c72998f30ebff8f4a757248639cf0351d03f5502be475b4cb8f02b09ad800dbbe2f9a82c7d9bde6d7bd748e0ee6e61b86e369192773fe726421a564e793a0139 |
\??\c:\817ccc52627cbda00165\1028\LocalizedData.xml
| MD5 | 7fc06a77d9aafca9fb19fafa0f919100 |
| SHA1 | e565740e7d582cd73f8d3b12de2f4579ff18bb41 |
| SHA256 | a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a |
| SHA512 | 466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf |
\??\c:\817ccc52627cbda00165\1033\LocalizedData.xml
| MD5 | d642e322d1e8b739510ca540f8e779f9 |
| SHA1 | 36279c76d9f34c09ebddc84fd33fcc7d4b9a896c |
| SHA256 | 5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9 |
| SHA512 | e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d |
\??\c:\817ccc52627cbda00165\1031\LocalizedData.xml
| MD5 | b83c3803712e61811c438f6e98790369 |
| SHA1 | 61a0bc59388786ced045acd82621bee8578cae5a |
| SHA256 | 2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6 |
| SHA512 | e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38 |
\??\c:\817ccc52627cbda00165\1049\LocalizedData.xml
| MD5 | 0eeb554d0b9f9fcdb22401e2532e9cd0 |
| SHA1 | 08799520b72a1ef92ac5b94a33509d1eddf6caf8 |
| SHA256 | beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c |
| SHA512 | 2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d |
\??\c:\817ccc52627cbda00165\3082\LocalizedData.xml
| MD5 | 5397a12d466d55d566b4209e0e4f92d3 |
| SHA1 | fcffd8961fb487995543fc173521fdf5df6e243b |
| SHA256 | f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89 |
| SHA512 | 7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b |
\??\c:\817ccc52627cbda00165\2052\LocalizedData.xml
| MD5 | 52b1dc12ce4153aa759fb3bbe04d01fc |
| SHA1 | bf21f8591c473d1fce68a9faf1e5942f486f6eba |
| SHA256 | d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3 |
| SHA512 | 418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623 |
\??\c:\817ccc52627cbda00165\1042\LocalizedData.xml
| MD5 | 71dfd70ae141f1d5c1366cb661b354b2 |
| SHA1 | c4b22590e6f6dd5d39e5158b831ae217ce17a776 |
| SHA256 | cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331 |
| SHA512 | 5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a |
\??\c:\817ccc52627cbda00165\1041\LocalizedData.xml
| MD5 | 7fcfbc308b0c42dcbd8365ba62bada05 |
| SHA1 | 18a0f0e89b36818c94de0ad795cc593d0e3e29a9 |
| SHA256 | 01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2 |
| SHA512 | cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649 |
\??\c:\817ccc52627cbda00165\1040\LocalizedData.xml
| MD5 | 0af948fe4142e34092f9dd47a4b8c275 |
| SHA1 | b3d6dd5c126280398d9055f90e2c2c26dbae4eaa |
| SHA256 | c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248 |
| SHA512 | d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9 |
\??\c:\817ccc52627cbda00165\1036\LocalizedData.xml
| MD5 | e382abc19294f779d2833287242e7bc6 |
| SHA1 | 1ceae32d6b24a3832f9244f5791382865b668a72 |
| SHA256 | 43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf |
| SHA512 | 06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e |
memory/2420-134-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-135-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
\817ccc52627cbda00165\SetupUi.dll
| MD5 | 0d214ced87bf0b55883359160a68dacb |
| SHA1 | a60526505d56d447c6bbde03da980db67062c4c6 |
| SHA256 | 29cf99d7e67b4c54bafd109577a385387a39301bcdec8ae4ba1a8a0044306713 |
| SHA512 | d9004ebd42d4aa7d13343b3746cf454ca1a5144f7b0f437f1a31639cc6bd90c5dd3385612df926bf53c3ef85cfe33756c067cb757fff257d674a10d638fc03c5 |
\??\c:\817ccc52627cbda00165\SetupUi.xsd
| MD5 | 2fadd9e618eff8175f2a6e8b95c0cacc |
| SHA1 | 9ab1710a217d15b192188b19467932d947b0a4f8 |
| SHA256 | 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093 |
| SHA512 | a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca |
\??\c:\817ccc52627cbda00165\Strings.xml
| MD5 | 332adf643747297b9bfa9527eaefe084 |
| SHA1 | 670f933d778eca39938a515a39106551185205e9 |
| SHA256 | e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca |
| SHA512 | bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0 |
\??\c:\817ccc52627cbda00165\graphics\print.ico
| MD5 | 7e55ddc6d611176e697d01c90a1212cf |
| SHA1 | e2620da05b8e4e2360da579a7be32c1b225deb1b |
| SHA256 | ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed |
| SHA512 | 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e |
\??\c:\817ccc52627cbda00165\watermark.bmp
| MD5 | 1a5caafacfc8c7766e404d019249cf67 |
| SHA1 | 35d4878db63059a0f25899f4be00b41f430389bf |
| SHA256 | 2e87d5742413254db10f7bd0762b6cdb98ff9c46ca9acddfd9b1c2e5418638f2 |
| SHA512 | 202c13ded002d234117f08b18ca80d603246e6a166e18ba422e30d394ada7e47153dd3cce9728affe97128fdd797fe6302c74dc6882317e2ba254c8a6db80f46 |
\??\c:\817ccc52627cbda00165\header.bmp
| MD5 | 3ad1a8c3b96993bcdf45244be2c00eef |
| SHA1 | 308f98e199f74a43d325115a8e7072d5f2c6202d |
| SHA256 | 133b86a4f1c67a159167489fdaeab765bfa1050c23a7ae6d5c517188fb45f94a |
| SHA512 | 133442c4a65269f817675adf01adcf622e509aa7ec7583bca8cd9a7eb6018d2aab56066054f75657038efb947cd3b3e5dc4fe7f0863c8b3b1770a8fa4fe2e658 |
\??\c:\817ccc52627cbda00165\graphics\setup.ico
| MD5 | 3d25d679e0ff0b8c94273dcd8b07049d |
| SHA1 | a517fc5e96bc68a02a44093673ee7e076ad57308 |
| SHA256 | 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f |
| SHA512 | 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255 |
\??\c:\817ccc52627cbda00165\graphics\save.ico
| MD5 | 7d62e82d960a938c98da02b1d5201bd5 |
| SHA1 | 194e96b0440bf8631887e5e9d3cc485f8e90fbf5 |
| SHA256 | ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5 |
| SHA512 | ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67 |
\817ccc52627cbda00165\1033\SetupResources.dll
| MD5 | 0b4e76baf52d580f657f91972196cd91 |
| SHA1 | e6ac8f80ab8ade18ac7e834ac6d0536bb483988c |
| SHA256 | 74a7767d8893dcc1a745522d5a509561162f95bc9e8bcc3056f37a367dba64a4 |
| SHA512 | ed53292c549d09da9118e944a646aa5dc0a6231811eafcda4258c892b218bcf3e0363a2c974868d2d2722155983c5dc8e29bed36d58e566e1695e23ce07fea87 |
memory/2420-154-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-155-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-156-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-158-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-160-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-174-0x0000000004D20000-0x0000000004D22000-memory.dmp
memory/2788-181-0x0000000001CF0000-0x0000000001CF2000-memory.dmp
memory/2788-180-0x0000000001D00000-0x0000000001D01000-memory.dmp
memory/2420-173-0x0000000004D30000-0x0000000004D31000-memory.dmp
memory/2420-182-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-183-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-185-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-187-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-191-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-216-0x0000000002CC0000-0x0000000003D4E000-memory.dmp
memory/2420-226-0x00000000003B0000-0x00000000003B2000-memory.dmp
F:\seab.exe
| MD5 | aa74d4bec441550a07cd0aefce775de9 |
| SHA1 | 0f92c0a0206e2cbf7d6853f374584d1418eb83f9 |
| SHA256 | 14ca95cde0d34cc5f45f070fef5908a5b8876dc46ad4ea5da01087fb51c4a8f9 |
| SHA512 | 8cfca3e224e7943fbb1dc6c3b798377526e431338bd0eb18bc5e2d65b10ef778c0502542d032865344115adb096706bb380e986551c00f906a940fb4e181056e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 00:44
Reported
2024-06-14 00:46
Platform
win10v2004-20240611-en
Max time kernel
122s
Max time network
155s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
Sality
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\ca3447c8bf2abea2787dd8\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\ca3447c8bf2abea2787dd8\Setup.exe | N/A |
| N/A | N/A | \??\c:\ca3447c8bf2abea2787dd8\Setup.exe | N/A |
| N/A | N/A | \??\c:\ca3447c8bf2abea2787dd8\Setup.exe | N/A |
| N/A | N/A | \??\c:\ca3447c8bf2abea2787dd8\Setup.exe | N/A |
| N/A | N/A | \??\c:\ca3447c8bf2abea2787dd8\Setup.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\ca3447c8bf2abea2787dd8\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\ca3447c8bf2abea2787dd8\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe | N/A |
Processes
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe
"C:\Users\Admin\AppData\Local\Temp\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
\??\c:\ca3447c8bf2abea2787dd8\Setup.exe
c:\ca3447c8bf2abea2787dd8\Setup.exe
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
memory/1396-0-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-4-0x0000000001000000-0x00000000018BA000-memory.dmp
memory/1396-7-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0E573846_Rar\8100857d21c9f3fb512cfc39ea5057b9e4e532cc5f809050c14678c0bcb486ea.exe
| MD5 | 1801436936e64598bab5b87b37dc7f87 |
| SHA1 | 28c54491be70c38c97849c3d8cfbfdd0d3c515cb |
| SHA256 | 67313b3d1bc86e83091e8de22981f14968f1a7fb12eb7ad467754c40cd94cc3d |
| SHA512 | 0b8f20b0f171f49eb49367f1aafa7101e1575ef055d7007197c21ab8fe8d75a966569444449858c31bd147357d2bf5a5bd623fe6c4dbabdc7d16999b3256ab8c |
memory/1396-11-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-16-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-14-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-12-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-8-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-20-0x00000000005A0000-0x00000000005A2000-memory.dmp
memory/1396-15-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-13-0x00000000005A0000-0x00000000005A2000-memory.dmp
memory/1396-17-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-10-0x00000000005C0000-0x00000000005C1000-memory.dmp
memory/1396-9-0x00000000005A0000-0x00000000005A2000-memory.dmp
memory/1396-22-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-21-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-88-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
C:\ca3447c8bf2abea2787dd8\Setup.exe
| MD5 | 2af2c1a78542975b12282aca4300d515 |
| SHA1 | 3216c853ed82e41dfbeb6ca48855fdcd41478507 |
| SHA256 | 531eb45798728cb741043b28b8c1a4f75536dc75f92d100f55f9109d2d63f0d7 |
| SHA512 | 4a70bd4b542f6001e46f827f341676c34af1ea216c50ad981dd04f547cd67f73aaa420fcbed379dc05dab199bf5ba00d899c49ff75da577613209f96226227eb |
\??\c:\ca3447c8bf2abea2787dd8\SetupEngine.dll
| MD5 | 63e7901d4fa7ac7766076720272060d0 |
| SHA1 | 72dec0e4e12255d98ccd49937923c7b5590bbfac |
| SHA256 | a5116ccb17b242713e5645c2374abf5827c0d2752b31553e3540c9123812e952 |
| SHA512 | de2e63bc090121484191cbf23194361d761b01c0fd332f35f0dfdfd0b11431b529e5c7f542031a0e7e26f31497d94b8baacfbf1c84c6493e66ac2ab76c11d0a0 |
\??\c:\ca3447c8bf2abea2787dd8\sqmapi.dll
| MD5 | 3f0363b40376047eff6a9b97d633b750 |
| SHA1 | 4eaf6650eca5ce931ee771181b04263c536a948b |
| SHA256 | bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c |
| SHA512 | 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8 |
\??\c:\ca3447c8bf2abea2787dd8\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\Users\Admin\AppData\Local\Temp\HFI5499.tmp.html
| MD5 | 7b88df8a1dfd095e72b9c89d5ae7d715 |
| SHA1 | 9c24bec9b04efd418a38ba55d0f7c27c22b88b77 |
| SHA256 | 46ebf3be864dcda1860a43e40e5087b6c0b1f2cff5b15afb370b890183b12a73 |
| SHA512 | b7099f9541880a43252b1e62e1c910e2e72a5216bb3d55678943b6a4ae216f4700ff7bfa688f4c50cadfdc281e47b499e86b5fe423993f48eb1fa88c12a807e4 |
\??\c:\ca3447c8bf2abea2787dd8\UiInfo.xml
| MD5 | 4f90fcef3836f5fc49426ad9938a1c60 |
| SHA1 | 89eba3b81982d5d5c457ffa7a7096284a10de64a |
| SHA256 | 66a0299ce7ee12dd9fc2cfead3c3211e59bfb54d6c0627d044d44cef6e70367b |
| SHA512 | 4ce2731c1d32d7ca3a4f644f4b3111f06223de96c1e241fcc86f5fe665f4db18c8a241dae4e8a7e278d6afbf91b235a2c3517a40d4d22d9866880e19a7221160 |
\??\c:\ca3447c8bf2abea2787dd8\ParameterInfo.xml
| MD5 | 13f8768c289476fdd103ff689d73cd2d |
| SHA1 | ddebcecc02c6b1b996423d62d0def8760f031f58 |
| SHA256 | 4eae293ca91b31aaa206e5a1c655714f0fe84e39f9331cb759d2236cdb915523 |
| SHA512 | c72998f30ebff8f4a757248639cf0351d03f5502be475b4cb8f02b09ad800dbbe2f9a82c7d9bde6d7bd748e0ee6e61b86e369192773fe726421a564e793a0139 |
\??\c:\ca3447c8bf2abea2787dd8\1033\LocalizedData.xml
| MD5 | d642e322d1e8b739510ca540f8e779f9 |
| SHA1 | 36279c76d9f34c09ebddc84fd33fcc7d4b9a896c |
| SHA256 | 5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9 |
| SHA512 | e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d |
\??\c:\ca3447c8bf2abea2787dd8\1031\LocalizedData.xml
| MD5 | b83c3803712e61811c438f6e98790369 |
| SHA1 | 61a0bc59388786ced045acd82621bee8578cae5a |
| SHA256 | 2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6 |
| SHA512 | e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38 |
\??\c:\ca3447c8bf2abea2787dd8\1028\LocalizedData.xml
| MD5 | 7fc06a77d9aafca9fb19fafa0f919100 |
| SHA1 | e565740e7d582cd73f8d3b12de2f4579ff18bb41 |
| SHA256 | a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a |
| SHA512 | 466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf |
\??\c:\ca3447c8bf2abea2787dd8\1036\LocalizedData.xml
| MD5 | e382abc19294f779d2833287242e7bc6 |
| SHA1 | 1ceae32d6b24a3832f9244f5791382865b668a72 |
| SHA256 | 43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf |
| SHA512 | 06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e |
\??\c:\ca3447c8bf2abea2787dd8\1040\LocalizedData.xml
| MD5 | 0af948fe4142e34092f9dd47a4b8c275 |
| SHA1 | b3d6dd5c126280398d9055f90e2c2c26dbae4eaa |
| SHA256 | c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248 |
| SHA512 | d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9 |
\??\c:\ca3447c8bf2abea2787dd8\1041\LocalizedData.xml
| MD5 | 7fcfbc308b0c42dcbd8365ba62bada05 |
| SHA1 | 18a0f0e89b36818c94de0ad795cc593d0e3e29a9 |
| SHA256 | 01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2 |
| SHA512 | cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649 |
\??\c:\ca3447c8bf2abea2787dd8\1042\LocalizedData.xml
| MD5 | 71dfd70ae141f1d5c1366cb661b354b2 |
| SHA1 | c4b22590e6f6dd5d39e5158b831ae217ce17a776 |
| SHA256 | cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331 |
| SHA512 | 5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a |
\??\c:\ca3447c8bf2abea2787dd8\1049\LocalizedData.xml
| MD5 | 0eeb554d0b9f9fcdb22401e2532e9cd0 |
| SHA1 | 08799520b72a1ef92ac5b94a33509d1eddf6caf8 |
| SHA256 | beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c |
| SHA512 | 2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d |
\??\c:\ca3447c8bf2abea2787dd8\3082\LocalizedData.xml
| MD5 | 5397a12d466d55d566b4209e0e4f92d3 |
| SHA1 | fcffd8961fb487995543fc173521fdf5df6e243b |
| SHA256 | f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89 |
| SHA512 | 7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b |
\??\c:\ca3447c8bf2abea2787dd8\2052\LocalizedData.xml
| MD5 | 52b1dc12ce4153aa759fb3bbe04d01fc |
| SHA1 | bf21f8591c473d1fce68a9faf1e5942f486f6eba |
| SHA256 | d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3 |
| SHA512 | 418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623 |
\??\c:\ca3447c8bf2abea2787dd8\SetupUi.dll
| MD5 | 0d214ced87bf0b55883359160a68dacb |
| SHA1 | a60526505d56d447c6bbde03da980db67062c4c6 |
| SHA256 | 29cf99d7e67b4c54bafd109577a385387a39301bcdec8ae4ba1a8a0044306713 |
| SHA512 | d9004ebd42d4aa7d13343b3746cf454ca1a5144f7b0f437f1a31639cc6bd90c5dd3385612df926bf53c3ef85cfe33756c067cb757fff257d674a10d638fc03c5 |
\??\c:\ca3447c8bf2abea2787dd8\SetupUi.xsd
| MD5 | 2fadd9e618eff8175f2a6e8b95c0cacc |
| SHA1 | 9ab1710a217d15b192188b19467932d947b0a4f8 |
| SHA256 | 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093 |
| SHA512 | a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca |
\??\c:\ca3447c8bf2abea2787dd8\1033\SetupResources.dll
| MD5 | 0b4e76baf52d580f657f91972196cd91 |
| SHA1 | e6ac8f80ab8ade18ac7e834ac6d0536bb483988c |
| SHA256 | 74a7767d8893dcc1a745522d5a509561162f95bc9e8bcc3056f37a367dba64a4 |
| SHA512 | ed53292c549d09da9118e944a646aa5dc0a6231811eafcda4258c892b218bcf3e0363a2c974868d2d2722155983c5dc8e29bed36d58e566e1695e23ce07fea87 |
\??\c:\ca3447c8bf2abea2787dd8\Strings.xml
| MD5 | 332adf643747297b9bfa9527eaefe084 |
| SHA1 | 670f933d778eca39938a515a39106551185205e9 |
| SHA256 | e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca |
| SHA512 | bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0 |
\??\c:\ca3447c8bf2abea2787dd8\graphics\save.ico
| MD5 | 7d62e82d960a938c98da02b1d5201bd5 |
| SHA1 | 194e96b0440bf8631887e5e9d3cc485f8e90fbf5 |
| SHA256 | ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5 |
| SHA512 | ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67 |
\??\c:\ca3447c8bf2abea2787dd8\graphics\print.ico
| MD5 | 7e55ddc6d611176e697d01c90a1212cf |
| SHA1 | e2620da05b8e4e2360da579a7be32c1b225deb1b |
| SHA256 | ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed |
| SHA512 | 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e |
\??\c:\ca3447c8bf2abea2787dd8\header.bmp
| MD5 | 3ad1a8c3b96993bcdf45244be2c00eef |
| SHA1 | 308f98e199f74a43d325115a8e7072d5f2c6202d |
| SHA256 | 133b86a4f1c67a159167489fdaeab765bfa1050c23a7ae6d5c517188fb45f94a |
| SHA512 | 133442c4a65269f817675adf01adcf622e509aa7ec7583bca8cd9a7eb6018d2aab56066054f75657038efb947cd3b3e5dc4fe7f0863c8b3b1770a8fa4fe2e658 |
\??\c:\ca3447c8bf2abea2787dd8\watermark.bmp
| MD5 | 1a5caafacfc8c7766e404d019249cf67 |
| SHA1 | 35d4878db63059a0f25899f4be00b41f430389bf |
| SHA256 | 2e87d5742413254db10f7bd0762b6cdb98ff9c46ca9acddfd9b1c2e5418638f2 |
| SHA512 | 202c13ded002d234117f08b18ca80d603246e6a166e18ba422e30d394ada7e47153dd3cce9728affe97128fdd797fe6302c74dc6882317e2ba254c8a6db80f46 |
\??\c:\ca3447c8bf2abea2787dd8\graphics\setup.ico
| MD5 | 3d25d679e0ff0b8c94273dcd8b07049d |
| SHA1 | a517fc5e96bc68a02a44093673ee7e076ad57308 |
| SHA256 | 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f |
| SHA512 | 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255 |
memory/1396-138-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-139-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1976-143-0x0000000000A60000-0x0000000000A62000-memory.dmp
memory/1976-142-0x0000000000A70000-0x0000000000A71000-memory.dmp
memory/1396-144-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-145-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-146-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-147-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-149-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-152-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-153-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-155-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-158-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-160-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-161-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-164-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-165-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-169-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-170-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-173-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-179-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-180-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-182-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-183-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-184-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-188-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-189-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-190-0x0000000002CD0000-0x0000000003D5E000-memory.dmp
memory/1396-192-0x00000000005A0000-0x00000000005A2000-memory.dmp
C:\edcupj.exe
| MD5 | 9504e6292f4a905b9b9b6c8998482909 |
| SHA1 | b50578511a418895d1f84844b4b079fbd5621111 |
| SHA256 | 0476151dc3ede7656e084f99df10b056abfa0c29c76b18aa99a91051c414b17a |
| SHA512 | 748a2f4eff385f567ce47d3483c9197eda11812061e314cd635bb6971f53b3a0ac63618f65b82300afc6ce100bb731f7865de18624deea43f1b05d000667b789 |