Malware Analysis Report

2025-01-02 07:25

Sample ID 240914-ese1pswdpk
Target a49fec56698a9c7603bfc46649f4b660N
SHA256 9873a13792db67e79bf4a8c7bec3794ddf285089d330cfe7532256963fb64f5f
Tags
floxif backdoor bootkit discovery persistence privilege_escalation trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9873a13792db67e79bf4a8c7bec3794ddf285089d330cfe7532256963fb64f5f

Threat Level: Known bad

The file a49fec56698a9c7603bfc46649f4b660N was found to be: Known bad.

Malicious Activity Summary

floxif backdoor bootkit discovery persistence privilege_escalation trojan upx

Floxif, Floodfix

Detects Floxif payload

Event Triggered Execution: AppInit DLLs

Drops startup file

UPX packed file

Loads dropped DLL

Executes dropped EXE

ACProtect 1.3x - 1.4x DLL software

Network Service Discovery

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-14 04:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-14 04:11

Reported

2024-09-14 04:13

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E37CC5.lnk C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\C021A2\119e.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\krnln.fnr C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\shell.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\internet.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\spec.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\C021A2\119e.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.edt C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\EE37CC C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\shell.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\dp1.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\com.run C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\eAPI.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\C021A2\3c8c.EDT C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\9E3B3C\spec.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\spec_a.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.EDT C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\9E3B3C\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\com.run C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\dp1.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\eAPI.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\internet.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\1A2F16 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\C021A2\3c8c.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\9E3B3C\krnln.fnr C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created \??\c:\progra~1\common~1\system\symsrv.dll.000 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000 C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\arp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\arp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\arp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\arp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\arp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\arp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\arp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\arp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\arp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\explorer.exe
PID 2112 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\explorer.exe
PID 2112 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\explorer.exe
PID 2112 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\explorer.exe
PID 2112 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 2112 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE
PID 2112 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE
PID 2112 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE
PID 2112 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe

"C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe"

C:\Windows\SysWOW64\arp.exe

arp -a

C:\Windows\SysWOW64\arp.exe

arp -s 10.127.0.1 69-6d-c4-04-fc-4a

C:\Windows\SysWOW64\arp.exe

arp -s 10.127.255.255 d2-5d-78-a7-6a-7a

C:\Windows\SysWOW64\arp.exe

arp -s 49.12.169.208 46-84-07-b1-41-74

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.22 8e-d7-60-be-ab-44

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.251 7c-3b-7f-7e-f9-86

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.252 83-24-0a-04-62-4a

C:\Windows\SysWOW64\arp.exe

arp -s 239.255.255.250 54-8c-2a-fc-6f-cd

C:\Windows\SysWOW64\arp.exe

arp -s 255.255.255.255 50-f6-b5-c9-70-24

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

C:\Windows\system32\9E3B3C\E37CC5.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 45.33.2.79:80 www.aieov.com tcp

Files

memory/2112-0-0x0000000000400000-0x0000000000472000-memory.dmp

\Program Files\Common Files\System\symsrv.dll

MD5 4fcd7574537cebec8e75b4e646996643
SHA1 efa59bb9050fb656b90d5d40c942fb2a304f2a8b
SHA256 8ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d
SHA512 7f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e

memory/2112-4-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2788-8-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2112-15-0x0000000000403000-0x0000000000404000-memory.dmp

memory/2788-16-0x0000000010000000-0x0000000010033000-memory.dmp

\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

MD5 cf46bb62a1ba559ceb0fad7a5d642f28
SHA1 80b63dd193e84bfacbe535587dd38471b8ea2c24
SHA256 fe4bba1a99b332c8bbd196d3a2f3c78d9edc8f212842ff2efef17eba38427f67
SHA512 1f71f31fdc1ef7695d7a6e79218a9192804178bb2af80486de4f8ff3d7e176860813a61fa265bf78fe4ff722a85b72798938d715d8a2a034ac759505197a1058

memory/2112-18-0x0000000003200000-0x000000000331D000-memory.dmp

memory/2884-24-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2772-23-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2760-28-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2664-32-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2544-30-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2556-35-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2112-34-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2768-40-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2620-38-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2112-37-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2856-27-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2112-45-0x0000000002920000-0x000000000293E000-memory.dmp

\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

MD5 6d4b2e73f6f8ecff02f19f7e8ef9a8c7
SHA1 09c32ca167136a17fd69df8c525ea5ffeca6c534
SHA256 fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040
SHA512 2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

memory/2112-42-0x00000000003C0000-0x00000000003D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

MD5 d54753e7fc3ea03aec0181447969c0e8
SHA1 824e7007b6569ae36f174c146ae1b7242f98f734
SHA256 192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9
SHA512 c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f

C:\Windows\SysWOW64\9E3B3C\cnvpe.fne

MD5 fb7ea6f8ae09fa7621ee13f86c4f2935
SHA1 d93676c39ad0181dad70a662c41fc4c280cce848
SHA256 bdc314d45af6a5afaed2663e63817902e80f9a18ba1965947c314b433e05bfb0
SHA512 e15111dda54bcab507c20e910f8257d2dec2830bfbc5f69e5286ce37cabb79237ce8fb1c813b2d82fa7bed0c2df89e2940ceebde358162553290224cf0866749

memory/2772-65-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2884-67-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2664-93-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2844-108-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2844-107-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2856-110-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2544-106-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2844-112-0x0000000001EC0000-0x0000000001FDD000-memory.dmp

\Windows\SysWOW64\9E3B3C\com.run

MD5 ce2f773275d3fe8b78f4cf067d5e6a0f
SHA1 b7135e34d46eb4303147492d5cee5e1ef7b392ab
SHA256 eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d
SHA512 d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

memory/2844-117-0x0000000002390000-0x00000000023DA000-memory.dmp

memory/896-114-0x0000000003D10000-0x0000000003D20000-memory.dmp

memory/2112-103-0x0000000002F10000-0x0000000002F2F000-memory.dmp

memory/2112-102-0x0000000002F10000-0x0000000002F2F000-memory.dmp

memory/2760-100-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2768-99-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2844-121-0x0000000002120000-0x0000000002131000-memory.dmp

memory/2844-124-0x00000000023E0000-0x00000000023FE000-memory.dmp

C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

MD5 e2b86e9a37fe4f85bbf0d08af28690a2
SHA1 d56b2d2a21cdf5661a17e32be5c71004eb558896
SHA256 b05ad065919cee4748075a182d681215c645c7cc3fdf9a06bfd18f7ebb067c91
SHA512 6cb065b121f11ee2700b22dd1cf9c9f4d44808261cc9ff2fac36165f42291598b708fa2501264d5c0dfc3df71e7bd6a3d22f9fff70e23d064733e488d49ee082

memory/2556-87-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2844-136-0x0000000002D00000-0x0000000002D5D000-memory.dmp

\Windows\SysWOW64\9E3B3C\eAPI.fne

MD5 936745bac5c873ab1a91478d27894626
SHA1 9ed92393f95692339ce03a8f1498f80c727e0555
SHA256 edfbe514d330e942ecd50dd7331659d59df27668e762d5a00e43df67f5f08630
SHA512 32d15337ab7a62ff25802c04bd782f5be36012f1a5251d962226a8e8e2daa7bc0a35b9cbfb67889d3b9dbc5f6cc51f924bae963ae12619249b22f2cc9aa2bbd4

memory/2620-98-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2112-75-0x0000000002B80000-0x0000000002B94000-memory.dmp

memory/2844-145-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/2112-144-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2844-146-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2844-149-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2844-157-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2844-159-0x0000000002D80000-0x0000000002D90000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-14 04:11

Reported

2024-09-14 04:14

Platform

win10v2004-20240802-en

Max time kernel

111s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E37CC5.lnk C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\C021A2 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\1A2F16 C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\dp1.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\krnln.fnr C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\EE37CC C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\spec.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\spec_a.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\internet.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\com.run C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\spec.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\C021A2\3c8c.EDT C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\9E3B3C\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\shell.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\C021A2\119e.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\eAPI.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\krnln.fnr C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.EDT C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\9E3B3C\dp1.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\internet.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\C021A2\3c8c.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\9E3B3C\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2\119e.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File created C:\Windows\SysWOW64\9E3B3C\eAPI.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\shell.fne C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File created C:\Windows\SysWOW64\9E3B3C\com.run C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.inf C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.edt C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5016 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\arp.exe
PID 5016 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\explorer.exe
PID 5016 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\explorer.exe
PID 5016 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\explorer.exe
PID 5016 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE
PID 5016 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE
PID 5016 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe

"C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe"

C:\Windows\SysWOW64\arp.exe

arp -a

C:\Windows\SysWOW64\arp.exe

arp -s 10.127.0.1 92-c4-0e-03-c4-47

C:\Windows\SysWOW64\arp.exe

arp -s 10.127.255.255 4d-89-e4-a3-e9-0a

C:\Windows\SysWOW64\arp.exe

arp -s 136.243.76.170 6c-7d-c9-6b-f1-16

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.22 99-3e-07-37-42-29

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.251 35-dc-88-da-36-b8

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.252 8b-f8-4c-7b-cd-da

C:\Windows\SysWOW64\arp.exe

arp -s 239.255.255.250 70-b1-ed-3f-52-3e

C:\Windows\SysWOW64\arp.exe

arp -s 255.255.255.255 13-8e-27-99-0c-c3

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

C:\Windows\system32\9E3B3C\E37CC5.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/5016-0-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll

MD5 4fcd7574537cebec8e75b4e646996643
SHA1 efa59bb9050fb656b90d5d40c942fb2a304f2a8b
SHA256 8ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d
SHA512 7f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e

memory/5016-3-0x0000000010000000-0x0000000010033000-memory.dmp

memory/5016-8-0x0000000000403000-0x0000000000404000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

MD5 cf46bb62a1ba559ceb0fad7a5d642f28
SHA1 80b63dd193e84bfacbe535587dd38471b8ea2c24
SHA256 fe4bba1a99b332c8bbd196d3a2f3c78d9edc8f212842ff2efef17eba38427f67
SHA512 1f71f31fdc1ef7695d7a6e79218a9192804178bb2af80486de4f8ff3d7e176860813a61fa265bf78fe4ff722a85b72798938d715d8a2a034ac759505197a1058

memory/5016-17-0x0000000002E80000-0x0000000002F9D000-memory.dmp

memory/1368-23-0x0000000010000000-0x0000000010033000-memory.dmp

memory/5016-27-0x00000000022A0000-0x00000000022B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

MD5 d54753e7fc3ea03aec0181447969c0e8
SHA1 824e7007b6569ae36f174c146ae1b7242f98f734
SHA256 192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9
SHA512 c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f

C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

MD5 6d4b2e73f6f8ecff02f19f7e8ef9a8c7
SHA1 09c32ca167136a17fd69df8c525ea5ffeca6c534
SHA256 fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040
SHA512 2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

memory/5016-33-0x00000000022C0000-0x00000000022DE000-memory.dmp

C:\Windows\SysWOW64\9E3B3C\eAPI.fne

MD5 936745bac5c873ab1a91478d27894626
SHA1 9ed92393f95692339ce03a8f1498f80c727e0555
SHA256 edfbe514d330e942ecd50dd7331659d59df27668e762d5a00e43df67f5f08630
SHA512 32d15337ab7a62ff25802c04bd782f5be36012f1a5251d962226a8e8e2daa7bc0a35b9cbfb67889d3b9dbc5f6cc51f924bae963ae12619249b22f2cc9aa2bbd4

C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

MD5 fb7ea6f8ae09fa7621ee13f86c4f2935
SHA1 d93676c39ad0181dad70a662c41fc4c280cce848
SHA256 bdc314d45af6a5afaed2663e63817902e80f9a18ba1965947c314b433e05bfb0
SHA512 e15111dda54bcab507c20e910f8257d2dec2830bfbc5f69e5286ce37cabb79237ce8fb1c813b2d82fa7bed0c2df89e2940ceebde358162553290224cf0866749

memory/1368-59-0x0000000010000000-0x0000000010033000-memory.dmp

memory/5016-69-0x0000000002380000-0x0000000002394000-memory.dmp

C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

MD5 e2b86e9a37fe4f85bbf0d08af28690a2
SHA1 d56b2d2a21cdf5661a17e32be5c71004eb558896
SHA256 b05ad065919cee4748075a182d681215c645c7cc3fdf9a06bfd18f7ebb067c91
SHA512 6cb065b121f11ee2700b22dd1cf9c9f4d44808261cc9ff2fac36165f42291598b708fa2501264d5c0dfc3df71e7bd6a3d22f9fff70e23d064733e488d49ee082

memory/3916-82-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3916-89-0x0000000010000000-0x0000000010033000-memory.dmp

memory/3916-87-0x0000000002390000-0x00000000024AD000-memory.dmp

memory/3916-93-0x0000000002630000-0x000000000267A000-memory.dmp

C:\Windows\SysWOW64\9E3B3C\com.run

MD5 ce2f773275d3fe8b78f4cf067d5e6a0f
SHA1 b7135e34d46eb4303147492d5cee5e1ef7b392ab
SHA256 eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d
SHA512 d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

memory/3916-98-0x0000000002CA0000-0x0000000002CB1000-memory.dmp

memory/3916-102-0x0000000003350000-0x000000000336E000-memory.dmp

memory/3916-115-0x0000000003380000-0x00000000033DD000-memory.dmp

memory/5016-122-0x0000000010000000-0x0000000010033000-memory.dmp

memory/5016-121-0x0000000000400000-0x0000000000472000-memory.dmp

memory/3916-126-0x0000000010000000-0x0000000010033000-memory.dmp

memory/3916-136-0x0000000000400000-0x000000000041F000-memory.dmp