Malware Analysis Report

2025-06-16 06:59

Sample ID 241104-ee9cdsskbz
Target bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN
SHA256 bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457e
Tags
floxif backdoor discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457e

Threat Level: Known bad

The file bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN was found to be: Known bad.

Malicious Activity Summary

floxif backdoor discovery trojan upx

Floxif, Floodfix

Floxif family

Detects Floxif payload

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Enumerates connected drives

Checks installed software on the system

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

NSIS installer

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 03:52

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 03:52

Reported

2024-11-04 03:54

Platform

win7-20241010-en

Max time kernel

14s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe"

Signatures

Floxif family

floxif

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\GPKIProcSession.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\admctrl.dll.tmp C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File opened for modification C:\Program Files (x86)\DreamSecurity\MagicLineMBX\MagicLineMBX UnInstall.exe C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\ENG.ini C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\KOR.ini C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\CertManagerMB.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\PKICertCls.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\DSCToolkitV30.conf C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\admctrl.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\images\Logo.bmp C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File opened for modification C:\Program Files (x86)\DreamSecurity\MagicLineMBX\admctrl.dll.dat C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\MagicLineMBX Uninstall.exe C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\NpkiCard.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\nsldap32v50.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\IssuerOid_Eng.conf C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\httptx.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File opened for modification C:\Program Files (x86)\DreamSecurity\MagicLineMBX\admctrl.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\NFilterOpenWeb.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\MagicLineMBX.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\GccCard.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\IssuerOid.conf C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\DSCToolkitV30.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\Elevation\Enabled = "1" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\TypeLib C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\ = "IMagicLineMBX" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO.1\ = "FileIO Class" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35}\1.0\ = "MagicLineMBX 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO\CLSID C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\MiscStatus\1\ = "131473" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MagicLineMBX.MagicLineMBX C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\InprocServer32\ = "C:\\PROGRA~2\\DREAMS~1\\MAGICL~1\\MAGICL~1.DLL" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\ToolboxBitmap32\ = "C:\\PROGRA~2\\DREAMS~1\\MAGICL~1\\MAGICL~1.DLL, 102" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\InprocServer32\ = "C:\\Program Files (x86)\\DreamSecurity\\MagicLineMBX\\admctrl.dll" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35} C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\ = "FileIO Class" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\MiscStatus\1 C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\0 C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\TypeLib\ = "{30105D53-4619-4D1A-9F18-D971351F9287}" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO\CurVer\ = "admctrl.FileIO.1" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MagicLineMBX.MagicLineMBX.1\CLSID C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\ = "IMagicLineMBX" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO\CLSID\ = "{EE720759-8584-46E5-9F3A-9E2969B13B68}" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\0\win32\ = "C:\\Program Files (x86)\\DreamSecurity\\MagicLineMBX\\admctrl.dll" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\TypeLib\ = "{E42EC818-A73F-4156-AEFC-54501C210A35}" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\TypeLib C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\TypeLib\ = "{E42EC818-A73F-4156-AEFC-54501C210A35}" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\ProgID C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287} C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MagicLineMBX.MagicLineMBX.1\ = "MagicLineMBX Class" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\TypeLib\ = "{E42EC818-A73F-4156-AEFC-54501C210A35}" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Control C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\Programmable C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\Component Categories C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DreamSecurity\\MagicLineMBX\\" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Programmable C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\TypeLib C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Version C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\TypeLib\ = "{30105D53-4619-4D1A-9F18-D971351F9287}" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\ProgID C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\TypeLib C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68} C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MagicLineMBX.MagicLineMBX\CurVer C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\800 C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\LocalizedString = "@C:\\Program Files (x86)\\DreamSecurity\\MagicLineMBX\\admctrl.dll,-101" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\ = "IFileIO" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\ToolboxBitmap32 C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\ProgID C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646} C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646} C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO\ = "FileIO Class" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\Elevation C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe

"C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe"

Network

N/A

Files

memory/2272-0-0x0000000000403000-0x0000000000404000-memory.dmp

memory/2272-4-0x0000000010000000-0x0000000010030000-memory.dmp

\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/2272-6-0x0000000000400000-0x000000000043A000-memory.dmp

\Program Files (x86)\DreamSecurity\MagicLineMBX\CertManagerMB.dll

MD5 f44c463727629428543da74af7c4aa56
SHA1 c3925c5326c83366fedb5d899616c23b1eb35686
SHA256 8e68aefd40b8bb12a5479cb1c45cae6a228a0c52f200a668a3088eeb0e0637dc
SHA512 861cca7892ba39ecef3bfd8fcfe6bb3d2a84de13282c60e191dbe95cbb66a0246692ed9f59c5ff7e36aa8f0e4fd93d74d108045099cc26c30600359b3ae5e7ca

memory/2272-20-0x0000000003790000-0x0000000003893000-memory.dmp

memory/2272-28-0x00000000044E0000-0x00000000046D4000-memory.dmp

\Program Files (x86)\DreamSecurity\MagicLineMBX\DSCToolkitV30.dll

MD5 e5874a2edf0ed6578b89f606263ef61a
SHA1 932470e5189664eae901bb3130e10ca605c948c4
SHA256 092e9a4f7b350698a6c60ff7b9deb973644161221b14a73875ef9e952ddb96d2
SHA512 dae2260472fb33700d032038d808f05a4c4b666afe3cfb0a2fda5e0a09ca93305fc4331c570b001a770a6d9b95a379c3b53ad57dadb7c1688ca656a0c2a4ac8e

memory/2272-32-0x0000000003890000-0x00000000038B3000-memory.dmp

\Program Files (x86)\DreamSecurity\MagicLineMBX\nsldap32v50.dll

MD5 ec0f6b05f7321ee8c6b4d2c8da487c67
SHA1 48b2eb1aa2572f4b7ed5f3de3e119fcb72f40d2e
SHA256 0a668e0e6b85202d298ed10c7f17bf07ec778ec323bc63e7dd89fb757346f71f
SHA512 d563e4c0ccd459db004c0e5518c706c115cd966d5c4ddb0e1bd64582e69c53146b67dc7b71920521c3837398073db4cb2d0eed577aedcd556adf3db07ae35dab

memory/2272-40-0x0000000002C50000-0x0000000002C73000-memory.dmp

memory/2272-44-0x0000000002830000-0x0000000002845000-memory.dmp

\Program Files (x86)\DreamSecurity\MagicLineMBX\GPKIProcSession.dll

MD5 7629e9d7490c8fbb60fbff721fd39bed
SHA1 9d0cddb60bd1fda9a31c04d0eecc797ecc4b3f46
SHA256 64d3a1ac747e04e1ea14868c50407a8775fabfc002b87b67ef0a57f2d1b70da2
SHA512 c2fc9b85d32fba6173d8a1f5d413a061ef2df189fd980434f008c6cfe759a41a8ae57f6642f5e0c4cbd15e6d5275092438db419e1b7f08c40be37d4512f783f3

memory/2272-36-0x0000000003890000-0x0000000003A84000-memory.dmp

\Program Files (x86)\DreamSecurity\MagicLineMBX\httptx.dll

MD5 925e8fed4e272cfb552d3a6eafc23b34
SHA1 e83def94a9cdf40c59cdbd8232cb69db82f15aa1
SHA256 4827fb95efa780faf0b5c8a63e6aae6fe0eacd6ddc6d1b2dc3161e246b207aeb
SHA512 e2d33e4ea78e36a11466a5fc953a6bb81bb9bc43b7b02da7f483dc2269d4b6b1f9d60088a928baa727ad40d82cf2140ca33d0c570d70dcda51b5a11df19f8593

memory/2272-51-0x0000000002830000-0x0000000002841000-memory.dmp

memory/2272-58-0x0000000002C50000-0x0000000002C89000-memory.dmp

\Program Files (x86)\DreamSecurity\MagicLineMBX\admctrl.dll

MD5 548d42f4f74ccca097de9ecbaa067f3f
SHA1 7b1a12b3339a052797f42043be335c5a32efe4a4
SHA256 a6e6b0b3c6e27e16370fa5dde7544c07c9315fa2a2269514de44000df33e3822
SHA512 b1b8bc55422ec31aeb0a44456821e4b1a9c2a08bcbd397f4c4eaa4a282f6f4b9a050c671c228ea6cf122eac883031c1e5d35c779bc2f291186ebe42ca50281a2

\Program Files (x86)\DreamSecurity\MagicLineMBX\admctrl.dll.tmp

MD5 bd3e1fc747aaff04f84a1caa756d71f1
SHA1 028e123c771a318d39a29d31034191953503c2f3
SHA256 fb2fac601ef045db90a2931abd103ee4018a8c7d4303a4125ad85c28fe4a075c
SHA512 d719a68320d65d157ae14c2ded4b318edfc1ee371b68d76854973a8f744b8f0903008f1f1d246c137c4fb07078e63b2c2cad2513269a45d577a129c25ce8eb96

\Program Files (x86)\DreamSecurity\MagicLineMBX\PKICertCls.dll

MD5 751432e6a01e4d33654c866c6022d532
SHA1 213f06b7c34c798db19f82be84f9fc5700f53cd7
SHA256 0d59e145424288b8ac04fe788604c1bd5f5340ffb325cf3937c249a11b34e48c
SHA512 cc7693dae35578bd4e1703e30007b7df4c0bcc71ff73b46cee6b1e4e7185c28d9fcdb46f73b397bc1b011570ee92943954ed5098bc514b6241e67d502a7fd528

memory/2272-92-0x0000000003890000-0x0000000003901000-memory.dmp

\Program Files (x86)\DreamSecurity\MagicLineMBX\NFilterOpenWeb.dll

MD5 6faa15d2e2bac763d9d8a5374913140a
SHA1 1eca4d6d8a040ec53dab57767db52e5919dc8ffb
SHA256 05faa0e47f950cca98e01e1ddf56c3bc6be85bec8fa344cef7febbb30cf5bfb9
SHA512 cdb52b69131d43cf491605ed4790c318364cee2a654b5d7adf878eebbc1c690c96418034d07cf98375a23100c30b68e8cbf6d7c9da9795ef41b88c2ab1b330e4

memory/2272-95-0x0000000003C20000-0x0000000003E14000-memory.dmp

\Program Files (x86)\DreamSecurity\MagicLineMBX\MagicLineMBX.dll

MD5 2631dc6e62f2d1a82af9cc59a55cb562
SHA1 ebd7b0ae4c61a9dcb0bf1629188901ef7fd811e1
SHA256 1604537aea8265f97c55d896c9f35d02ba59d96e83e3a7337382c1491d752f80
SHA512 6b2fa8e4ade8ba27feb8f64e9c92f91fe190ddd54cb7cb67aa589184ab4a64d7be99f717de602bc3dfe9a76d83583f9176a315193e302710d0d6ab0029112874

memory/2272-120-0x0000000002C50000-0x0000000002C8D000-memory.dmp

memory/2272-144-0x0000000002CE0000-0x0000000002CF5000-memory.dmp

memory/2272-135-0x0000000002CB0000-0x0000000002CD3000-memory.dmp

memory/2272-128-0x00000000039A0000-0x0000000003A11000-memory.dmp

memory/2272-124-0x0000000003890000-0x0000000003993000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A1D26E2\E22588C8E0.tmp

MD5 5c446cd4955399c94fe38437d67670a0
SHA1 157324884d1c20f796b250bb79ab45c5a754d0ba
SHA256 e76369c872d3cc0cb5a71bbb3a05cdfe908b54497cafe75a5ce628bf086773d3
SHA512 2a1c51d7bf5db1211cc7e4292d13f272fd31a7851d295c1b7f7f2e2ab1d2111fb5cafbe99c3fe921dd8ea2e4ffdc1ff9ed80f62045d9a7b7678d77befbeca48d

memory/2272-212-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2272-211-0x0000000010000000-0x0000000010030000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 03:52

Reported

2024-11-04 03:54

Platform

win10v2004-20241007-en

Max time kernel

104s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe"

Signatures

Floxif family

floxif

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A

Checks installed software on the system

discovery

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\NpkiCard.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\DSCToolkitV30.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\GPKIProcSession.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\admctrl.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\GccCard.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\DSCToolkitV30.conf C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\httptx.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\PKICertCls.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\NFilterOpenWeb.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\nsldap32v50.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\IssuerOid_Eng.conf C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\ENG.ini C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\KOR.ini C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\MagicLineMBX.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\MagicLineMBX Uninstall.exe C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\IssuerOid.conf C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\images\Logo.bmp C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File created C:\Program Files (x86)\DreamSecurity\MagicLineMBX\CertManagerMB.dll C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
File opened for modification C:\Program Files (x86)\DreamSecurity\MagicLineMBX\MagicLineMBX UnInstall.exe C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\ = "FileIO Class" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\ = "0" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35} C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DreamSecurity\\MagicLineMBX\\" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\TypeLib\ = "{30105D53-4619-4D1A-9F18-D971351F9287}" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\ = "admctrl 1.0 Çü½Ä ¶óÀ̺귯¸®" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54} C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\TypeLib C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\ = "IMagicLineMBX" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\CanElevate.DLL\AppID = "{20D523FA-DC5F-4055-A7F4-76710FB48A7E}" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\ProgID C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\Component Categories C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35}\1.0\ = "MagicLineMBX 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO\CLSID\ = "{EE720759-8584-46E5-9F3A-9E2969B13B68}" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\0 C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\ = "MagicLineMBX Class" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\800\ = "Safe for initializing" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\VersionIndependentProgID\ = "admctrl.FileIO" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\Programmable C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\TypeLib C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\TypeLib\ = "{30105D53-4619-4D1A-9F18-D971351F9287}" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\800 C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Version C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\MiscStatus C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\Elevation C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\TypeLib C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Programmable C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\ToolboxBitmap32 C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35}\1.0\0\win32\ = "C:\\Program Files (x86)\\DreamSecurity\\MagicLineMBX\\MagicLineMBX.dll" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E42EC818-A73F-4156-AEFC-54501C210A35}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\ProgID C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO.1 C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0 C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\ = "0" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\Programmable C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68} C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\VersionIndependentProgID\ = "MagicLineMBX.MagicLineMBX" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646} C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\admctrl.FileIO.1\CLSID\ = "{EE720759-8584-46E5-9F3A-9E2969B13B68}" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE720759-8584-46E5-9F3A-9E2969B13B68}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\TypeLib C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\0\win32\ = "C:\\Program Files (x86)\\DreamSecurity\\MagicLineMBX\\admctrl.dll" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\HELPDIR\ C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D9E8890-2E58-494D-A129-D42E4C701C54}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\800 C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8223F3A-1420-4245-88F2-D874FC081574}\ProgID C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BDF1EBE-6363-46FE-9CBF-3EE94DF25646}\ = "IMagicLineMBX" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287} C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30105D53-4619-4D1A-9F18-D971351F9287}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe

"C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/4032-1-0x0000000000403000-0x0000000000404000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/4032-5-0x0000000010000000-0x0000000010030000-memory.dmp

memory/4032-7-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Program Files (x86)\DreamSecurity\MagicLineMBX\CertManagerMB.dll

MD5 f44c463727629428543da74af7c4aa56
SHA1 c3925c5326c83366fedb5d899616c23b1eb35686
SHA256 8e68aefd40b8bb12a5479cb1c45cae6a228a0c52f200a668a3088eeb0e0637dc
SHA512 861cca7892ba39ecef3bfd8fcfe6bb3d2a84de13282c60e191dbe95cbb66a0246692ed9f59c5ff7e36aa8f0e4fd93d74d108045099cc26c30600359b3ae5e7ca

memory/4032-22-0x00000000046F0000-0x00000000047F3000-memory.dmp

memory/4032-41-0x00000000048F0000-0x0000000004913000-memory.dmp

memory/4032-75-0x00000000046F0000-0x0000000004701000-memory.dmp

C:\Program Files (x86)\DreamSecurity\MagicLineMBX\admctrl.dll

MD5 548d42f4f74ccca097de9ecbaa067f3f
SHA1 7b1a12b3339a052797f42043be335c5a32efe4a4
SHA256 a6e6b0b3c6e27e16370fa5dde7544c07c9315fa2a2269514de44000df33e3822
SHA512 b1b8bc55422ec31aeb0a44456821e4b1a9c2a08bcbd397f4c4eaa4a282f6f4b9a050c671c228ea6cf122eac883031c1e5d35c779bc2f291186ebe42ca50281a2

C:\Program Files (x86)\DreamSecurity\MagicLineMBX\nsldap32v50.dll

MD5 ec0f6b05f7321ee8c6b4d2c8da487c67
SHA1 48b2eb1aa2572f4b7ed5f3de3e119fcb72f40d2e
SHA256 0a668e0e6b85202d298ed10c7f17bf07ec778ec323bc63e7dd89fb757346f71f
SHA512 d563e4c0ccd459db004c0e5518c706c115cd966d5c4ddb0e1bd64582e69c53146b67dc7b71920521c3837398073db4cb2d0eed577aedcd556adf3db07ae35dab

C:\Program Files (x86)\DreamSecurity\MagicLineMBX\PKICertCls.dll

MD5 751432e6a01e4d33654c866c6022d532
SHA1 213f06b7c34c798db19f82be84f9fc5700f53cd7
SHA256 0d59e145424288b8ac04fe788604c1bd5f5340ffb325cf3937c249a11b34e48c
SHA512 cc7693dae35578bd4e1703e30007b7df4c0bcc71ff73b46cee6b1e4e7185c28d9fcdb46f73b397bc1b011570ee92943954ed5098bc514b6241e67d502a7fd528

memory/4032-301-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4032-300-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A1D26E2\9AF8C10FC0.tmp

MD5 5c446cd4955399c94fe38437d67670a0
SHA1 157324884d1c20f796b250bb79ab45c5a754d0ba
SHA256 e76369c872d3cc0cb5a71bbb3a05cdfe908b54497cafe75a5ce628bf086773d3
SHA512 2a1c51d7bf5db1211cc7e4292d13f272fd31a7851d295c1b7f7f2e2ab1d2111fb5cafbe99c3fe921dd8ea2e4ffdc1ff9ed80f62045d9a7b7678d77befbeca48d

C:\Program Files (x86)\DreamSecurity\MagicLineMBX\httptx.dll

MD5 925e8fed4e272cfb552d3a6eafc23b34
SHA1 e83def94a9cdf40c59cdbd8232cb69db82f15aa1
SHA256 4827fb95efa780faf0b5c8a63e6aae6fe0eacd6ddc6d1b2dc3161e246b207aeb
SHA512 e2d33e4ea78e36a11466a5fc953a6bb81bb9bc43b7b02da7f483dc2269d4b6b1f9d60088a928baa727ad40d82cf2140ca33d0c570d70dcda51b5a11df19f8593

C:\Program Files (x86)\DreamSecurity\MagicLineMBX\GPKIProcSession.dll

MD5 7629e9d7490c8fbb60fbff721fd39bed
SHA1 9d0cddb60bd1fda9a31c04d0eecc797ecc4b3f46
SHA256 64d3a1ac747e04e1ea14868c50407a8775fabfc002b87b67ef0a57f2d1b70da2
SHA512 c2fc9b85d32fba6173d8a1f5d413a061ef2df189fd980434f008c6cfe759a41a8ae57f6642f5e0c4cbd15e6d5275092438db419e1b7f08c40be37d4512f783f3

C:\Program Files (x86)\DreamSecurity\MagicLineMBX\MagicLineMBX.dll

MD5 2631dc6e62f2d1a82af9cc59a55cb562
SHA1 ebd7b0ae4c61a9dcb0bf1629188901ef7fd811e1
SHA256 1604537aea8265f97c55d896c9f35d02ba59d96e83e3a7337382c1491d752f80
SHA512 6b2fa8e4ade8ba27feb8f64e9c92f91fe190ddd54cb7cb67aa589184ab4a64d7be99f717de602bc3dfe9a76d83583f9176a315193e302710d0d6ab0029112874

memory/4032-203-0x0000000004B10000-0x0000000004B33000-memory.dmp

memory/4032-197-0x0000000004910000-0x0000000004B04000-memory.dmp

C:\Program Files (x86)\DreamSecurity\MagicLineMBX\DSCToolkitV30.dll

MD5 e5874a2edf0ed6578b89f606263ef61a
SHA1 932470e5189664eae901bb3130e10ca605c948c4
SHA256 092e9a4f7b350698a6c60ff7b9deb973644161221b14a73875ef9e952ddb96d2
SHA512 dae2260472fb33700d032038d808f05a4c4b666afe3cfb0a2fda5e0a09ca93305fc4331c570b001a770a6d9b95a379c3b53ad57dadb7c1688ca656a0c2a4ac8e

C:\Program Files (x86)\DreamSecurity\MagicLineMBX\NFilterOpenWeb.dll

MD5 6faa15d2e2bac763d9d8a5374913140a
SHA1 1eca4d6d8a040ec53dab57767db52e5919dc8ffb
SHA256 05faa0e47f950cca98e01e1ddf56c3bc6be85bec8fa344cef7febbb30cf5bfb9
SHA512 cdb52b69131d43cf491605ed4790c318364cee2a654b5d7adf878eebbc1c690c96418034d07cf98375a23100c30b68e8cbf6d7c9da9795ef41b88c2ab1b330e4

memory/4032-189-0x00000000048E0000-0x00000000048F1000-memory.dmp

memory/4032-186-0x00000000048C0000-0x00000000048D5000-memory.dmp

memory/4032-183-0x0000000004840000-0x00000000048B1000-memory.dmp

memory/4032-179-0x0000000004730000-0x0000000004833000-memory.dmp

memory/4032-167-0x00000000046F0000-0x000000000472D000-memory.dmp

memory/4032-130-0x0000000004970000-0x0000000004993000-memory.dmp

memory/4032-124-0x0000000004770000-0x0000000004964000-memory.dmp

memory/4032-119-0x00000000046F0000-0x0000000004761000-memory.dmp

memory/4032-88-0x00000000046F0000-0x0000000004729000-memory.dmp

memory/4032-62-0x00000000046F0000-0x0000000004705000-memory.dmp

memory/4032-35-0x00000000046F0000-0x00000000048E4000-memory.dmp