Malware Analysis Report

2024-09-11 12:22

Sample ID 240614-xznkjawglq
Target 68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7
SHA256 68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7

Threat Level: Known bad

The file 68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

Windows security bypass

UAC bypass

Sality

Windows security modification

UPX packed file

Checks whether UAC is enabled

Enumerates connected drives

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Replication Through Removable Media
T1091
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Replication Through Removable Media
T1091
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 19:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 19:17

Reported

2024-06-14 19:20

Platform

win7-20240611-en

Max time kernel

125s

Max time network

118s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f760d78 C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\taskhost.exe
PID 2804 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\Dwm.exe
PID 2804 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\DllHost.exe
PID 2804 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\taskhost.exe
PID 2804 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\Dwm.exe
PID 2804 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\taskhost.exe
PID 2804 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\Dwm.exe
PID 2804 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\taskhost.exe
PID 2804 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\Dwm.exe
PID 2804 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\taskhost.exe
PID 2804 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\Dwm.exe
PID 2804 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\taskhost.exe
PID 2804 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\Dwm.exe
PID 2804 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\taskhost.exe
PID 2804 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\Dwm.exe
PID 2804 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\taskhost.exe
PID 2804 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\Dwm.exe
PID 2804 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\taskhost.exe
PID 2804 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\Dwm.exe
PID 2804 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\taskhost.exe
PID 2804 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\Dwm.exe
PID 2804 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\taskhost.exe
PID 2804 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\Dwm.exe
PID 2804 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\taskhost.exe
PID 2804 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\Dwm.exe
PID 2804 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\taskhost.exe
PID 2804 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\Dwm.exe
PID 2804 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe

"C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 update.tz1a.cn udp
CN 211.159.170.45:80 update.tz1a.cn tcp
US 8.8.8.8:53 i.tz1a.cn udp
CN 140.143.213.182:80 i.tz1a.cn tcp
US 8.8.8.8:53 xzqlog.tz1a.cn udp
CN 140.143.213.182:80 xzqlog.tz1a.cn tcp

Files

memory/2804-0-0x0000000000400000-0x00000000006A8000-memory.dmp

memory/2804-8-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-3-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/1108-13-0x0000000000410000-0x0000000000412000-memory.dmp

memory/2804-10-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-5-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-7-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-6-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-26-0x0000000000740000-0x0000000000741000-memory.dmp

memory/2804-23-0x0000000000740000-0x0000000000741000-memory.dmp

memory/2804-22-0x0000000000730000-0x0000000000732000-memory.dmp

memory/2804-12-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-11-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-1-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-9-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-4-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-33-0x0000000000730000-0x0000000000732000-memory.dmp

memory/2804-32-0x0000000000730000-0x0000000000732000-memory.dmp

memory/2804-37-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-36-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-38-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-40-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-41-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-43-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-44-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-45-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-47-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-49-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-57-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-59-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-60-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-65-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-66-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-69-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-71-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-72-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-75-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-77-0x00000000022F0000-0x00000000033AA000-memory.dmp

memory/2804-93-0x0000000000730000-0x0000000000732000-memory.dmp

F:\buxqb.pif

MD5 b9f03ecf310c889fcfd5e029ee209990
SHA1 84252fe5c427bbeb19490289df5840d3c70b0659
SHA256 eb9e0f529afade5ac36ddb6640add7e00748f5d1b45ca8dd28e21c255c8c901d
SHA512 132e3742aca4214f1ccf879376ecefc7da52ddc976202cef19c8b5415cb20e383f5f991c24733efca8b34c67472ab4d737f04e644b8d402b221204ca3d0d4ae6

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 19:17

Reported

2024-06-14 19:20

Platform

win10v2004-20240611-en

Max time kernel

123s

Max time network

96s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e573345 C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\fontdrvhost.exe
PID 1964 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\fontdrvhost.exe
PID 1964 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\dwm.exe
PID 1964 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\sihost.exe
PID 1964 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\svchost.exe
PID 1964 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\taskhostw.exe
PID 1964 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\svchost.exe
PID 1964 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\DllHost.exe
PID 1964 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1964 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1964 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1964 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1964 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1964 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1964 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1964 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1964 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\fontdrvhost.exe
PID 1964 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\fontdrvhost.exe
PID 1964 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\dwm.exe
PID 1964 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\sihost.exe
PID 1964 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\svchost.exe
PID 1964 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\taskhostw.exe
PID 1964 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\svchost.exe
PID 1964 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\DllHost.exe
PID 1964 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1964 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1964 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1964 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1964 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1964 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1964 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1964 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1964 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1964 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\fontdrvhost.exe
PID 1964 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\fontdrvhost.exe
PID 1964 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\dwm.exe
PID 1964 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\sihost.exe
PID 1964 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\svchost.exe
PID 1964 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\taskhostw.exe
PID 1964 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\svchost.exe
PID 1964 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\DllHost.exe
PID 1964 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1964 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1964 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1964 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1964 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1964 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1964 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1964 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1964 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1964 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\fontdrvhost.exe
PID 1964 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\fontdrvhost.exe
PID 1964 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\dwm.exe
PID 1964 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\sihost.exe
PID 1964 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\svchost.exe
PID 1964 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\taskhostw.exe
PID 1964 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\svchost.exe
PID 1964 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\system32\DllHost.exe
PID 1964 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1964 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe

"C:\Users\Admin\AppData\Local\Temp\68c442f2ea953286267541323f3278e543fcd77da9fc0ce78d9d672d848062e7.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 update.tz1a.cn udp
CN 211.159.170.45:80 update.tz1a.cn tcp
US 8.8.8.8:53 i.tz1a.cn udp
CN 140.143.213.182:80 i.tz1a.cn tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 xzqlog.tz1a.cn udp
CN 140.143.213.182:80 xzqlog.tz1a.cn tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp

Files

memory/1964-0-0x0000000000400000-0x00000000006A8000-memory.dmp

memory/1964-3-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-4-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-13-0x0000000004320000-0x0000000004322000-memory.dmp

memory/1964-11-0x0000000004370000-0x0000000004371000-memory.dmp

memory/1964-10-0x0000000004320000-0x0000000004322000-memory.dmp

memory/1964-8-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-7-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-5-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-18-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-20-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-9-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-6-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-21-0x0000000004320000-0x0000000004322000-memory.dmp

memory/1964-19-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-25-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-24-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-27-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-28-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-29-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-31-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-32-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-33-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-35-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-36-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-38-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-40-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-43-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-45-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-47-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-55-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-56-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-59-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-61-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-62-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-64-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-67-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-68-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-70-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-73-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-74-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-76-0x0000000004320000-0x0000000004322000-memory.dmp

memory/1964-77-0x00000000024D0000-0x000000000358A000-memory.dmp

memory/1964-81-0x00000000024D0000-0x000000000358A000-memory.dmp

C:\kbfpha.exe

MD5 93c57ef0c723757b20083cc7f9fa9bd0
SHA1 122f0c4df8e65a49d025b74eb6555226ba86e63c
SHA256 5ebe943b131aff65ffab16e6d4e5f9f22c10e05d2225d2f189bad2a09b5bed98
SHA512 2e705366faa398f56f1261d93baddb721ac4f77798f5f6bc61c95c11005caf939edd898d2176d533bf1b6368c792f027c627f1f5f66732885a930b73947fbc05