Analysis Overview
SHA256
bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457e
Threat Level: Known bad
The file bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN was found to be: Known bad.
Malicious Activity Summary
Floxif, Floodfix
Floxif family
Detects Floxif payload
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
Enumerates connected drives
Checks installed software on the system
UPX packed file
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
NSIS installer
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 03:52
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 03:52
Reported
2024-11-04 03:54
Platform
win7-20241010-en
Max time kernel
14s
Max time network
19s
Command Line
Signatures
Floxif family
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\Elevation\Enabled = "1" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\TypeLib | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\ = "IMagicLineMBX" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO.1\ = "FileIO Class" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35}\1.0\ = "MagicLineMBX 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO\CLSID | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\MiscStatus\1\ = "131473" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MagicLineMBX.MagicLineMBX | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\InprocServer32\ = "C:\\PROGRA~2\\DREAMS~1\\MAGICL~1\\MAGICL~1.DLL" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\ToolboxBitmap32\ = "C:\\PROGRA~2\\DREAMS~1\\MAGICL~1\\MAGICL~1.DLL, 102" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\InprocServer32\ = "C:\\Program Files (x86)\\DreamSecurity\\MagicLineMBX\\admctrl.dll" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35} | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\ = "FileIO Class" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\MiscStatus\1 | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\TypeLib\ = "{30105D53-4619-4D1A-9F18-D971351F9287}" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO\CurVer\ = "admctrl.FileIO.1" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MagicLineMBX.MagicLineMBX.1\CLSID | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\ = "IMagicLineMBX" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO\CLSID\ = "{EE720759-8584-46E5-9F3A-9E2969B13B68}" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\0\win32\ = "C:\\Program Files (x86)\\DreamSecurity\\MagicLineMBX\\admctrl.dll" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\TypeLib\ = "{E42EC818-A73F-4156-AEFC-54501C210A35}" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\TypeLib | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\MiscStatus\ = "0" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\TypeLib\ = "{E42EC818-A73F-4156-AEFC-54501C210A35}" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\ProgID | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287} | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MagicLineMBX.MagicLineMBX.1\ = "MagicLineMBX Class" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\TypeLib\ = "{E42EC818-A73F-4156-AEFC-54501C210A35}" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Control | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\Programmable | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\Component Categories | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DreamSecurity\\MagicLineMBX\\" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Programmable | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\TypeLib | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Version | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\TypeLib\ = "{30105D53-4619-4D1A-9F18-D971351F9287}" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\ProgID | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\TypeLib | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68} | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MagicLineMBX.MagicLineMBX\CurVer | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\800 | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\LocalizedString = "@C:\\Program Files (x86)\\DreamSecurity\\MagicLineMBX\\admctrl.dll,-101" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\ = "IFileIO" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\ToolboxBitmap32 | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\ProgID | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646} | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646} | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO\ = "FileIO Class" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\Elevation | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe
"C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe"
Network
Files
memory/2272-0-0x0000000000403000-0x0000000000404000-memory.dmp
memory/2272-4-0x0000000010000000-0x0000000010030000-memory.dmp
\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/2272-6-0x0000000000400000-0x000000000043A000-memory.dmp
\Program Files (x86)\DreamSecurity\MagicLineMBX\CertManagerMB.dll
| MD5 | f44c463727629428543da74af7c4aa56 |
| SHA1 | c3925c5326c83366fedb5d899616c23b1eb35686 |
| SHA256 | 8e68aefd40b8bb12a5479cb1c45cae6a228a0c52f200a668a3088eeb0e0637dc |
| SHA512 | 861cca7892ba39ecef3bfd8fcfe6bb3d2a84de13282c60e191dbe95cbb66a0246692ed9f59c5ff7e36aa8f0e4fd93d74d108045099cc26c30600359b3ae5e7ca |
memory/2272-20-0x0000000003790000-0x0000000003893000-memory.dmp
memory/2272-28-0x00000000044E0000-0x00000000046D4000-memory.dmp
\Program Files (x86)\DreamSecurity\MagicLineMBX\DSCToolkitV30.dll
| MD5 | e5874a2edf0ed6578b89f606263ef61a |
| SHA1 | 932470e5189664eae901bb3130e10ca605c948c4 |
| SHA256 | 092e9a4f7b350698a6c60ff7b9deb973644161221b14a73875ef9e952ddb96d2 |
| SHA512 | dae2260472fb33700d032038d808f05a4c4b666afe3cfb0a2fda5e0a09ca93305fc4331c570b001a770a6d9b95a379c3b53ad57dadb7c1688ca656a0c2a4ac8e |
memory/2272-32-0x0000000003890000-0x00000000038B3000-memory.dmp
\Program Files (x86)\DreamSecurity\MagicLineMBX\nsldap32v50.dll
| MD5 | ec0f6b05f7321ee8c6b4d2c8da487c67 |
| SHA1 | 48b2eb1aa2572f4b7ed5f3de3e119fcb72f40d2e |
| SHA256 | 0a668e0e6b85202d298ed10c7f17bf07ec778ec323bc63e7dd89fb757346f71f |
| SHA512 | d563e4c0ccd459db004c0e5518c706c115cd966d5c4ddb0e1bd64582e69c53146b67dc7b71920521c3837398073db4cb2d0eed577aedcd556adf3db07ae35dab |
memory/2272-40-0x0000000002C50000-0x0000000002C73000-memory.dmp
memory/2272-44-0x0000000002830000-0x0000000002845000-memory.dmp
\Program Files (x86)\DreamSecurity\MagicLineMBX\GPKIProcSession.dll
| MD5 | 7629e9d7490c8fbb60fbff721fd39bed |
| SHA1 | 9d0cddb60bd1fda9a31c04d0eecc797ecc4b3f46 |
| SHA256 | 64d3a1ac747e04e1ea14868c50407a8775fabfc002b87b67ef0a57f2d1b70da2 |
| SHA512 | c2fc9b85d32fba6173d8a1f5d413a061ef2df189fd980434f008c6cfe759a41a8ae57f6642f5e0c4cbd15e6d5275092438db419e1b7f08c40be37d4512f783f3 |
memory/2272-36-0x0000000003890000-0x0000000003A84000-memory.dmp
\Program Files (x86)\DreamSecurity\MagicLineMBX\httptx.dll
| MD5 | 925e8fed4e272cfb552d3a6eafc23b34 |
| SHA1 | e83def94a9cdf40c59cdbd8232cb69db82f15aa1 |
| SHA256 | 4827fb95efa780faf0b5c8a63e6aae6fe0eacd6ddc6d1b2dc3161e246b207aeb |
| SHA512 | e2d33e4ea78e36a11466a5fc953a6bb81bb9bc43b7b02da7f483dc2269d4b6b1f9d60088a928baa727ad40d82cf2140ca33d0c570d70dcda51b5a11df19f8593 |
memory/2272-51-0x0000000002830000-0x0000000002841000-memory.dmp
memory/2272-58-0x0000000002C50000-0x0000000002C89000-memory.dmp
\Program Files (x86)\DreamSecurity\MagicLineMBX\admctrl.dll
| MD5 | 548d42f4f74ccca097de9ecbaa067f3f |
| SHA1 | 7b1a12b3339a052797f42043be335c5a32efe4a4 |
| SHA256 | a6e6b0b3c6e27e16370fa5dde7544c07c9315fa2a2269514de44000df33e3822 |
| SHA512 | b1b8bc55422ec31aeb0a44456821e4b1a9c2a08bcbd397f4c4eaa4a282f6f4b9a050c671c228ea6cf122eac883031c1e5d35c779bc2f291186ebe42ca50281a2 |
\Program Files (x86)\DreamSecurity\MagicLineMBX\admctrl.dll.tmp
| MD5 | bd3e1fc747aaff04f84a1caa756d71f1 |
| SHA1 | 028e123c771a318d39a29d31034191953503c2f3 |
| SHA256 | fb2fac601ef045db90a2931abd103ee4018a8c7d4303a4125ad85c28fe4a075c |
| SHA512 | d719a68320d65d157ae14c2ded4b318edfc1ee371b68d76854973a8f744b8f0903008f1f1d246c137c4fb07078e63b2c2cad2513269a45d577a129c25ce8eb96 |
\Program Files (x86)\DreamSecurity\MagicLineMBX\PKICertCls.dll
| MD5 | 751432e6a01e4d33654c866c6022d532 |
| SHA1 | 213f06b7c34c798db19f82be84f9fc5700f53cd7 |
| SHA256 | 0d59e145424288b8ac04fe788604c1bd5f5340ffb325cf3937c249a11b34e48c |
| SHA512 | cc7693dae35578bd4e1703e30007b7df4c0bcc71ff73b46cee6b1e4e7185c28d9fcdb46f73b397bc1b011570ee92943954ed5098bc514b6241e67d502a7fd528 |
memory/2272-92-0x0000000003890000-0x0000000003901000-memory.dmp
\Program Files (x86)\DreamSecurity\MagicLineMBX\NFilterOpenWeb.dll
| MD5 | 6faa15d2e2bac763d9d8a5374913140a |
| SHA1 | 1eca4d6d8a040ec53dab57767db52e5919dc8ffb |
| SHA256 | 05faa0e47f950cca98e01e1ddf56c3bc6be85bec8fa344cef7febbb30cf5bfb9 |
| SHA512 | cdb52b69131d43cf491605ed4790c318364cee2a654b5d7adf878eebbc1c690c96418034d07cf98375a23100c30b68e8cbf6d7c9da9795ef41b88c2ab1b330e4 |
memory/2272-95-0x0000000003C20000-0x0000000003E14000-memory.dmp
\Program Files (x86)\DreamSecurity\MagicLineMBX\MagicLineMBX.dll
| MD5 | 2631dc6e62f2d1a82af9cc59a55cb562 |
| SHA1 | ebd7b0ae4c61a9dcb0bf1629188901ef7fd811e1 |
| SHA256 | 1604537aea8265f97c55d896c9f35d02ba59d96e83e3a7337382c1491d752f80 |
| SHA512 | 6b2fa8e4ade8ba27feb8f64e9c92f91fe190ddd54cb7cb67aa589184ab4a64d7be99f717de602bc3dfe9a76d83583f9176a315193e302710d0d6ab0029112874 |
memory/2272-120-0x0000000002C50000-0x0000000002C8D000-memory.dmp
memory/2272-144-0x0000000002CE0000-0x0000000002CF5000-memory.dmp
memory/2272-135-0x0000000002CB0000-0x0000000002CD3000-memory.dmp
memory/2272-128-0x00000000039A0000-0x0000000003A11000-memory.dmp
memory/2272-124-0x0000000003890000-0x0000000003993000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A1D26E2\E22588C8E0.tmp
| MD5 | 5c446cd4955399c94fe38437d67670a0 |
| SHA1 | 157324884d1c20f796b250bb79ab45c5a754d0ba |
| SHA256 | e76369c872d3cc0cb5a71bbb3a05cdfe908b54497cafe75a5ce628bf086773d3 |
| SHA512 | 2a1c51d7bf5db1211cc7e4292d13f272fd31a7851d295c1b7f7f2e2ab1d2111fb5cafbe99c3fe921dd8ea2e4ffdc1ff9ed80f62045d9a7b7678d77befbeca48d |
memory/2272-212-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2272-211-0x0000000010000000-0x0000000010030000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 03:52
Reported
2024-11-04 03:54
Platform
win10v2004-20241007-en
Max time kernel
104s
Max time network
106s
Command Line
Signatures
Floxif family
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Checks installed software on the system
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\ = "FileIO Class" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\ = "0" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35} | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DreamSecurity\\MagicLineMBX\\" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\TypeLib\ = "{30105D53-4619-4D1A-9F18-D971351F9287}" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\ = "admctrl 1.0 Çü½Ä ¶óÀ̺귯¸®" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54} | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\TypeLib | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\ = "IMagicLineMBX" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\CanElevate.DLL\AppID = "{20D523FA-DC5F-4055-A7F4-76710FB48A7E}" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\ProgID | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\Component Categories | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35}\1.0\ = "MagicLineMBX 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO\CLSID\ = "{EE720759-8584-46E5-9F3A-9E2969B13B68}" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\ = "MagicLineMBX Class" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\800\ = "Safe for initializing" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\VersionIndependentProgID\ = "admctrl.FileIO" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\Programmable | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\TypeLib | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\TypeLib\ = "{30105D53-4619-4D1A-9F18-D971351F9287}" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\800 | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Version | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\MiscStatus | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\Elevation | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\TypeLib | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Programmable | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\ToolboxBitmap32 | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35}\1.0\0\win32\ = "C:\\Program Files (x86)\\DreamSecurity\\MagicLineMBX\\MagicLineMBX.dll" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\ProgID | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO.1 | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0 | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\ = "0" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\Programmable | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68} | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\VersionIndependentProgID\ = "MagicLineMBX.MagicLineMBX" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646} | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO.1\CLSID\ = "{EE720759-8584-46E5-9F3A-9E2969B13B68}" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\TypeLib | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\0\win32\ = "C:\\Program Files (x86)\\DreamSecurity\\MagicLineMBX\\admctrl.dll" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\HELPDIR\ | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\800 | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\ProgID | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\ = "IMagicLineMBX" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287} | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe
"C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/4032-1-0x0000000000403000-0x0000000000404000-memory.dmp
C:\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/4032-5-0x0000000010000000-0x0000000010030000-memory.dmp
memory/4032-7-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Program Files (x86)\DreamSecurity\MagicLineMBX\CertManagerMB.dll
| MD5 | f44c463727629428543da74af7c4aa56 |
| SHA1 | c3925c5326c83366fedb5d899616c23b1eb35686 |
| SHA256 | 8e68aefd40b8bb12a5479cb1c45cae6a228a0c52f200a668a3088eeb0e0637dc |
| SHA512 | 861cca7892ba39ecef3bfd8fcfe6bb3d2a84de13282c60e191dbe95cbb66a0246692ed9f59c5ff7e36aa8f0e4fd93d74d108045099cc26c30600359b3ae5e7ca |
memory/4032-22-0x00000000046F0000-0x00000000047F3000-memory.dmp
memory/4032-41-0x00000000048F0000-0x0000000004913000-memory.dmp
memory/4032-75-0x00000000046F0000-0x0000000004701000-memory.dmp
C:\Program Files (x86)\DreamSecurity\MagicLineMBX\admctrl.dll
| MD5 | 548d42f4f74ccca097de9ecbaa067f3f |
| SHA1 | 7b1a12b3339a052797f42043be335c5a32efe4a4 |
| SHA256 | a6e6b0b3c6e27e16370fa5dde7544c07c9315fa2a2269514de44000df33e3822 |
| SHA512 | b1b8bc55422ec31aeb0a44456821e4b1a9c2a08bcbd397f4c4eaa4a282f6f4b9a050c671c228ea6cf122eac883031c1e5d35c779bc2f291186ebe42ca50281a2 |
C:\Program Files (x86)\DreamSecurity\MagicLineMBX\nsldap32v50.dll
| MD5 | ec0f6b05f7321ee8c6b4d2c8da487c67 |
| SHA1 | 48b2eb1aa2572f4b7ed5f3de3e119fcb72f40d2e |
| SHA256 | 0a668e0e6b85202d298ed10c7f17bf07ec778ec323bc63e7dd89fb757346f71f |
| SHA512 | d563e4c0ccd459db004c0e5518c706c115cd966d5c4ddb0e1bd64582e69c53146b67dc7b71920521c3837398073db4cb2d0eed577aedcd556adf3db07ae35dab |
C:\Program Files (x86)\DreamSecurity\MagicLineMBX\PKICertCls.dll
| MD5 | 751432e6a01e4d33654c866c6022d532 |
| SHA1 | 213f06b7c34c798db19f82be84f9fc5700f53cd7 |
| SHA256 | 0d59e145424288b8ac04fe788604c1bd5f5340ffb325cf3937c249a11b34e48c |
| SHA512 | cc7693dae35578bd4e1703e30007b7df4c0bcc71ff73b46cee6b1e4e7185c28d9fcdb46f73b397bc1b011570ee92943954ed5098bc514b6241e67d502a7fd528 |
memory/4032-301-0x0000000000400000-0x000000000043A000-memory.dmp
memory/4032-300-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A1D26E2\9AF8C10FC0.tmp
| MD5 | 5c446cd4955399c94fe38437d67670a0 |
| SHA1 | 157324884d1c20f796b250bb79ab45c5a754d0ba |
| SHA256 | e76369c872d3cc0cb5a71bbb3a05cdfe908b54497cafe75a5ce628bf086773d3 |
| SHA512 | 2a1c51d7bf5db1211cc7e4292d13f272fd31a7851d295c1b7f7f2e2ab1d2111fb5cafbe99c3fe921dd8ea2e4ffdc1ff9ed80f62045d9a7b7678d77befbeca48d |
C:\Program Files (x86)\DreamSecurity\MagicLineMBX\httptx.dll
| MD5 | 925e8fed4e272cfb552d3a6eafc23b34 |
| SHA1 | e83def94a9cdf40c59cdbd8232cb69db82f15aa1 |
| SHA256 | 4827fb95efa780faf0b5c8a63e6aae6fe0eacd6ddc6d1b2dc3161e246b207aeb |
| SHA512 | e2d33e4ea78e36a11466a5fc953a6bb81bb9bc43b7b02da7f483dc2269d4b6b1f9d60088a928baa727ad40d82cf2140ca33d0c570d70dcda51b5a11df19f8593 |
C:\Program Files (x86)\DreamSecurity\MagicLineMBX\GPKIProcSession.dll
| MD5 | 7629e9d7490c8fbb60fbff721fd39bed |
| SHA1 | 9d0cddb60bd1fda9a31c04d0eecc797ecc4b3f46 |
| SHA256 | 64d3a1ac747e04e1ea14868c50407a8775fabfc002b87b67ef0a57f2d1b70da2 |
| SHA512 | c2fc9b85d32fba6173d8a1f5d413a061ef2df189fd980434f008c6cfe759a41a8ae57f6642f5e0c4cbd15e6d5275092438db419e1b7f08c40be37d4512f783f3 |
C:\Program Files (x86)\DreamSecurity\MagicLineMBX\MagicLineMBX.dll
| MD5 | 2631dc6e62f2d1a82af9cc59a55cb562 |
| SHA1 | ebd7b0ae4c61a9dcb0bf1629188901ef7fd811e1 |
| SHA256 | 1604537aea8265f97c55d896c9f35d02ba59d96e83e3a7337382c1491d752f80 |
| SHA512 | 6b2fa8e4ade8ba27feb8f64e9c92f91fe190ddd54cb7cb67aa589184ab4a64d7be99f717de602bc3dfe9a76d83583f9176a315193e302710d0d6ab0029112874 |
memory/4032-203-0x0000000004B10000-0x0000000004B33000-memory.dmp
memory/4032-197-0x0000000004910000-0x0000000004B04000-memory.dmp
C:\Program Files (x86)\DreamSecurity\MagicLineMBX\DSCToolkitV30.dll
| MD5 | e5874a2edf0ed6578b89f606263ef61a |
| SHA1 | 932470e5189664eae901bb3130e10ca605c948c4 |
| SHA256 | 092e9a4f7b350698a6c60ff7b9deb973644161221b14a73875ef9e952ddb96d2 |
| SHA512 | dae2260472fb33700d032038d808f05a4c4b666afe3cfb0a2fda5e0a09ca93305fc4331c570b001a770a6d9b95a379c3b53ad57dadb7c1688ca656a0c2a4ac8e |
C:\Program Files (x86)\DreamSecurity\MagicLineMBX\NFilterOpenWeb.dll
| MD5 | 6faa15d2e2bac763d9d8a5374913140a |
| SHA1 | 1eca4d6d8a040ec53dab57767db52e5919dc8ffb |
| SHA256 | 05faa0e47f950cca98e01e1ddf56c3bc6be85bec8fa344cef7febbb30cf5bfb9 |
| SHA512 | cdb52b69131d43cf491605ed4790c318364cee2a654b5d7adf878eebbc1c690c96418034d07cf98375a23100c30b68e8cbf6d7c9da9795ef41b88c2ab1b330e4 |
memory/4032-189-0x00000000048E0000-0x00000000048F1000-memory.dmp
memory/4032-186-0x00000000048C0000-0x00000000048D5000-memory.dmp
memory/4032-183-0x0000000004840000-0x00000000048B1000-memory.dmp
memory/4032-179-0x0000000004730000-0x0000000004833000-memory.dmp
memory/4032-167-0x00000000046F0000-0x000000000472D000-memory.dmp
memory/4032-130-0x0000000004970000-0x0000000004993000-memory.dmp
memory/4032-124-0x0000000004770000-0x0000000004964000-memory.dmp
memory/4032-119-0x00000000046F0000-0x0000000004761000-memory.dmp
memory/4032-88-0x00000000046F0000-0x0000000004729000-memory.dmp
memory/4032-62-0x00000000046F0000-0x0000000004705000-memory.dmp
memory/4032-35-0x00000000046F0000-0x00000000048E4000-memory.dmp