Analysis
-
max time kernel
45s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-05-2022 04:28
Static task
static1
Behavioral task
behavioral1
Sample
UQD_211116.exe
Resource
win7-20220414-en
General
-
Target
UQD_211116.exe
-
Size
11.7MB
-
MD5
4dadc2245fc209e51d9c22753f5a8eec
-
SHA1
2e32247294f43fac2edcdd1d044c70b398e03905
-
SHA256
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
-
SHA512
4d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
UQD_211116.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts UQD_211116.exe File created C:\Windows\System32\drivers\etc\hosts UQD_211116.exe -
Executes dropped EXE 6 IoCs
Processes:
xxmiila.exefroonyx.exe~bziteeq.exe~bziteeq.exedeutdqw.exe~bziteeq.exepid process 1764 xxmiila.exe 1364 froonyx.exe 528 ~bziteeq.exe 1640 ~bziteeq.exe 1304 deutdqw.exe 1068 ~bziteeq.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\iyjplaz\xxmiila.exe upx \Users\Admin\AppData\Local\Temp\iyjplaz\xxmiila.exe upx C:\Users\Admin\AppData\Local\Temp\iyjplaz\xxmiila.exe upx C:\Users\Admin\AppData\Local\Temp\iyjplaz\xxmiila.exe upx \Users\Admin\AppData\Local\Temp\froonyx.exe upx \Users\Admin\AppData\Local\Temp\froonyx.exe upx C:\Users\Admin\AppData\Local\Temp\froonyx.exe upx C:\Users\Admin\AppData\Local\Temp\froonyx.exe upx \Users\Admin\AppData\Local\Temp\deutdqw.exe upx \Users\Admin\AppData\Local\Temp\deutdqw.exe upx C:\Users\Admin\AppData\Local\Temp\deutdqw.exe upx C:\Users\Admin\AppData\Local\Temp\deutdqw.exe upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 952 cmd.exe -
Drops startup file 1 IoCs
Processes:
UQD_211116.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini UQD_211116.exe -
Loads dropped DLL 12 IoCs
Processes:
UQD_211116.exepid process 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1920 1096 UQD_211116.exe 520 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 556 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 32 IoCs
Processes:
UQD_211116.exeRundll32.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RUNONCE UQD_211116.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNONCE UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNONCEEX UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCE UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run UQD_211116.exe Key deleted \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" Rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx UQD_211116.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN UQD_211116.exe Key deleted \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RUNONCEEX UQD_211116.exe Key deleted \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQD_211116.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run UQD_211116.exe Key deleted \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnceEx UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx UQD_211116.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQD_211116.exe -
Processes:
UQD_211116.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" UQD_211116.exe -
Drops desktop.ini file(s) 3 IoCs
Processes:
UQD_211116.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini UQD_211116.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini UQD_211116.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini UQD_211116.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
UQD_211116.exedescription ioc process File opened (read-only) \??\i: UQD_211116.exe File opened (read-only) \??\k: UQD_211116.exe File opened (read-only) \??\x: UQD_211116.exe File opened (read-only) \??\y: UQD_211116.exe File opened (read-only) \??\z: UQD_211116.exe File opened (read-only) \??\a: UQD_211116.exe File opened (read-only) \??\e: UQD_211116.exe File opened (read-only) \??\g: UQD_211116.exe File opened (read-only) \??\l: UQD_211116.exe File opened (read-only) \??\n: UQD_211116.exe File opened (read-only) \??\q: UQD_211116.exe File opened (read-only) \??\u: UQD_211116.exe File opened (read-only) \??\v: UQD_211116.exe File opened (read-only) \??\b: UQD_211116.exe File opened (read-only) \??\f: UQD_211116.exe File opened (read-only) \??\j: UQD_211116.exe File opened (read-only) \??\w: UQD_211116.exe File opened (read-only) \??\r: UQD_211116.exe File opened (read-only) \??\s: UQD_211116.exe File opened (read-only) \??\t: UQD_211116.exe File opened (read-only) \??\p: UQD_211116.exe File opened (read-only) \??\h: UQD_211116.exe File opened (read-only) \??\m: UQD_211116.exe File opened (read-only) \??\o: UQD_211116.exe -
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in Program Files directory 3 IoCs
Processes:
UQD_211116.exedescription ioc process File created C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg UQD_211116.exe File opened for modification C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg UQD_211116.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL UQD_211116.exe -
Drops file in Windows directory 1 IoCs
Processes:
Rundll32.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.app.log Rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
runonce.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
Processes:
UQD_211116.exe~bziteeq.exe~bziteeq.exe~bziteeq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.136738.com/?30507" UQD_211116.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\Main UQD_211116.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.136738.com/?30507" UQD_211116.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\First Home Page = "http://www.136738.com/?30507" UQD_211116.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\First Home Page = "http://www.136738.com/?30507" UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN ~bziteeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN UQD_211116.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN ~bziteeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.136738.com/?30507" UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN ~bziteeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\First Home Page = "http://www.136738.com/?30507" UQD_211116.exe -
Modifies Internet Explorer start page 1 TTPs 3 IoCs
Processes:
UQD_211116.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.136738.com/?30507" UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.136738.com/?30507" UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.136738.com/?30507" UQD_211116.exe -
Modifies registry class 35 IoCs
Processes:
UQD_211116.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\DefaultIcon UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns\Command UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FD978C-D287-4F50-827F-B2C658EDA8E7}\InprocServer32 UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}\InprocServer32 UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920E6DB1-9907-4370-B3A0-BAFC03D81399} UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\ = "Internet Explorer" UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns\ = "在没有加载项的情况下启动" UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}\InprocServer32 UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open\Command UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set\ = "属性(&R)" UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82} UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\DefaultIcon\ = "C:\\Windows\\SysWOW64\\ieframe.dll,-190" UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open UQD_211116.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920E6DB1-9907-4370-B3A0-BAFC03D81399}\InprocServer32 UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16F3DD56-1AF5-4347-846D-7C10C4192619} UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns\Command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" -extoff" UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open\ = "打开主页(&H)" UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set\Command UQD_211116.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_Classes\Local Settings UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FD978C-D287-4F50-827F-B2C658EDA8E7} UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16F3DD56-1AF5-4347-846D-7C10C4192619}\InprocServer32 UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open\Command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\"" UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set\Command\ = "C:\\Windows\\SysWOW64\\rundll32.exe C:\\Windows\\SysWOW64\\shell32.dll,Control_RunDLL C:\\Windows\\SysWOW64\\inetcpl.cpl" UQD_211116.exe -
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 1760 PING.EXE 1776 PING.EXE 780 PING.EXE 1996 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
UQD_211116.exeUQD_211116.exepid process 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 2004 UQD_211116.exe 2004 UQD_211116.exe 2004 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
UQD_211116.exepid process 1096 UQD_211116.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
UQD_211116.exeUQD_211116.exexxmiila.exe~bziteeq.exe~bziteeq.exefroonyx.exe~bziteeq.exedeutdqw.exeRundll32.exedescription pid process Token: SeDebugPrivilege 1096 UQD_211116.exe Token: SeDebugPrivilege 2004 UQD_211116.exe Token: SeDebugPrivilege 1764 xxmiila.exe Token: SeBackupPrivilege 528 ~bziteeq.exe Token: SeRestorePrivilege 528 ~bziteeq.exe Token: SeTakeOwnershipPrivilege 528 ~bziteeq.exe Token: SeBackupPrivilege 1640 ~bziteeq.exe Token: SeRestorePrivilege 1640 ~bziteeq.exe Token: SeTakeOwnershipPrivilege 1640 ~bziteeq.exe Token: SeDebugPrivilege 1364 froonyx.exe Token: SeRestorePrivilege 1364 froonyx.exe Token: SeTakeOwnershipPrivilege 1364 froonyx.exe Token: SeDebugPrivilege 1364 froonyx.exe Token: SeSecurityPrivilege 1364 froonyx.exe Token: SeBackupPrivilege 1068 ~bziteeq.exe Token: SeRestorePrivilege 1068 ~bziteeq.exe Token: SeTakeOwnershipPrivilege 1068 ~bziteeq.exe Token: SeDebugPrivilege 1304 deutdqw.exe Token: SeRestorePrivilege 1304 deutdqw.exe Token: SeTakeOwnershipPrivilege 1304 deutdqw.exe Token: SeDebugPrivilege 1304 deutdqw.exe Token: SeSecurityPrivilege 1304 deutdqw.exe Token: SeRestorePrivilege 1180 Rundll32.exe Token: SeRestorePrivilege 1180 Rundll32.exe Token: SeRestorePrivilege 1180 Rundll32.exe Token: SeRestorePrivilege 1180 Rundll32.exe Token: SeRestorePrivilege 1180 Rundll32.exe Token: SeRestorePrivilege 1180 Rundll32.exe Token: SeRestorePrivilege 1180 Rundll32.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
Processes:
UQD_211116.exepid process 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe -
Suspicious use of SendNotifyMessage 37 IoCs
Processes:
UQD_211116.exepid process 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe 1096 UQD_211116.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
UQD_211116.exexxmiila.execmd.exeRundll32.exerunonce.execmd.execmd.exedescription pid process target process PID 1096 wrote to memory of 2004 1096 UQD_211116.exe UQD_211116.exe PID 1096 wrote to memory of 2004 1096 UQD_211116.exe UQD_211116.exe PID 1096 wrote to memory of 2004 1096 UQD_211116.exe UQD_211116.exe PID 1096 wrote to memory of 2004 1096 UQD_211116.exe UQD_211116.exe PID 1096 wrote to memory of 1764 1096 UQD_211116.exe xxmiila.exe PID 1096 wrote to memory of 1764 1096 UQD_211116.exe xxmiila.exe PID 1096 wrote to memory of 1764 1096 UQD_211116.exe xxmiila.exe PID 1096 wrote to memory of 1764 1096 UQD_211116.exe xxmiila.exe PID 1096 wrote to memory of 1364 1096 UQD_211116.exe froonyx.exe PID 1096 wrote to memory of 1364 1096 UQD_211116.exe froonyx.exe PID 1096 wrote to memory of 1364 1096 UQD_211116.exe froonyx.exe PID 1096 wrote to memory of 1364 1096 UQD_211116.exe froonyx.exe PID 1096 wrote to memory of 528 1096 UQD_211116.exe ~bziteeq.exe PID 1096 wrote to memory of 528 1096 UQD_211116.exe ~bziteeq.exe PID 1096 wrote to memory of 528 1096 UQD_211116.exe ~bziteeq.exe PID 1096 wrote to memory of 528 1096 UQD_211116.exe ~bziteeq.exe PID 1096 wrote to memory of 1640 1096 UQD_211116.exe ~bziteeq.exe PID 1096 wrote to memory of 1640 1096 UQD_211116.exe ~bziteeq.exe PID 1096 wrote to memory of 1640 1096 UQD_211116.exe ~bziteeq.exe PID 1096 wrote to memory of 1640 1096 UQD_211116.exe ~bziteeq.exe PID 1764 wrote to memory of 1928 1764 xxmiila.exe cmd.exe PID 1764 wrote to memory of 1928 1764 xxmiila.exe cmd.exe PID 1764 wrote to memory of 1928 1764 xxmiila.exe cmd.exe PID 1764 wrote to memory of 1928 1764 xxmiila.exe cmd.exe PID 1928 wrote to memory of 1760 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 1760 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 1760 1928 cmd.exe PING.EXE PID 1096 wrote to memory of 1304 1096 UQD_211116.exe deutdqw.exe PID 1096 wrote to memory of 1304 1096 UQD_211116.exe deutdqw.exe PID 1096 wrote to memory of 1304 1096 UQD_211116.exe deutdqw.exe PID 1096 wrote to memory of 1304 1096 UQD_211116.exe deutdqw.exe PID 1096 wrote to memory of 1068 1096 UQD_211116.exe ~bziteeq.exe PID 1096 wrote to memory of 1068 1096 UQD_211116.exe ~bziteeq.exe PID 1096 wrote to memory of 1068 1096 UQD_211116.exe ~bziteeq.exe PID 1096 wrote to memory of 1068 1096 UQD_211116.exe ~bziteeq.exe PID 1096 wrote to memory of 1180 1096 UQD_211116.exe Rundll32.exe PID 1096 wrote to memory of 1180 1096 UQD_211116.exe Rundll32.exe PID 1096 wrote to memory of 1180 1096 UQD_211116.exe Rundll32.exe PID 1096 wrote to memory of 1180 1096 UQD_211116.exe Rundll32.exe PID 1180 wrote to memory of 1672 1180 Rundll32.exe runonce.exe PID 1180 wrote to memory of 1672 1180 Rundll32.exe runonce.exe PID 1180 wrote to memory of 1672 1180 Rundll32.exe runonce.exe PID 1672 wrote to memory of 1644 1672 runonce.exe grpconv.exe PID 1672 wrote to memory of 1644 1672 runonce.exe grpconv.exe PID 1672 wrote to memory of 1644 1672 runonce.exe grpconv.exe PID 1096 wrote to memory of 952 1096 UQD_211116.exe cmd.exe PID 1096 wrote to memory of 952 1096 UQD_211116.exe cmd.exe PID 1096 wrote to memory of 952 1096 UQD_211116.exe cmd.exe PID 1096 wrote to memory of 952 1096 UQD_211116.exe cmd.exe PID 1096 wrote to memory of 1764 1096 UQD_211116.exe cmd.exe PID 1096 wrote to memory of 1764 1096 UQD_211116.exe cmd.exe PID 1096 wrote to memory of 1764 1096 UQD_211116.exe cmd.exe PID 1096 wrote to memory of 1764 1096 UQD_211116.exe cmd.exe PID 1764 wrote to memory of 780 1764 cmd.exe PING.EXE PID 1764 wrote to memory of 780 1764 cmd.exe PING.EXE PID 1764 wrote to memory of 780 1764 cmd.exe PING.EXE PID 952 wrote to memory of 1776 952 cmd.exe PING.EXE PID 952 wrote to memory of 1776 952 cmd.exe PING.EXE PID 952 wrote to memory of 1776 952 cmd.exe PING.EXE PID 952 wrote to memory of 1996 952 cmd.exe PING.EXE PID 952 wrote to memory of 1996 952 cmd.exe PING.EXE PID 952 wrote to memory of 1996 952 cmd.exe PING.EXE -
System policy modification 1 TTPs 4 IoCs
Processes:
UQD_211116.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System UQD_211116.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" UQD_211116.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" UQD_211116.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" UQD_211116.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\UQD_211116.exe"C:\Users\Admin\AppData\Local\Temp\UQD_211116.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\UQD_211116.exeC:\Users\Admin\AppData\Local\Temp\UQD_211116.exe /nstart2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\iyjplaz\xxmiila.exeC:\Users\Admin\AppData\Local\Temp\iyjplaz\xxmiila.exe /nys2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\uoqr5BM.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\froonyx.exeC:\Users\Admin\AppData\Local\Temp\froonyx.exe /HomeRegAccess102⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\~bziteeq.exeC:\Users\Admin\AppData\Local\Temp\~bziteeq.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn setowner -ownr "n:Administrators"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\~bziteeq.exeC:\Users\Admin\AppData\Local\Temp\~bziteeq.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn ace -ace "n:Everyone;p:full;i:np;m:set" -rec no2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\deutdqw.exeC:\Users\Admin\AppData\Local\Temp\deutdqw.exe /HomeRegAccess102⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\~bziteeq.exeC:\Users\Admin\AppData\Local\Temp\~bziteeq.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn ace -ace "n:Everyone;p:full;i:np;m:set" -rec no2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\Rundll32.exeRundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\Users\Admin\AppData\Local\Temp\~jpyedyb.inf2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r3⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\grpconv.exe"C:\Windows\System32\grpconv.exe" -o4⤵
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\sHFkCjh.bat2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\NAON8ND.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\NAON8ND.batFilesize
473B
MD51f6bdb6ce6dd933b18a996163f0a77da
SHA1fa0f9dd4d556bb708f35e9bb9c02180dadba1e36
SHA256fd8e355ec981e2166c11f725bba97a52f114169fb22ca71561e2e0c5b8178274
SHA5121be1f569e44a173bdf2f9f6fc0ea62d17895348f8f18e308feaa082cdc8dc45053bddbcf6ac159be33e9d21d84f369c75eeeae071a67c776f924394f293401bf
-
C:\Users\Admin\AppData\Local\Temp\deutdqw.exeFilesize
11.7MB
MD54dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
C:\Users\Admin\AppData\Local\Temp\deutdqw.exeFilesize
11.7MB
MD54dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
C:\Users\Admin\AppData\Local\Temp\froonyx.exeFilesize
11.7MB
MD54dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
C:\Users\Admin\AppData\Local\Temp\froonyx.exeFilesize
11.7MB
MD54dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
C:\Users\Admin\AppData\Local\Temp\iyjplaz\xxmiila.exeFilesize
11.7MB
MD54dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
C:\Users\Admin\AppData\Local\Temp\iyjplaz\xxmiila.exeFilesize
11.7MB
MD54dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
C:\Users\Admin\AppData\Local\Temp\sHFkCjh.batFilesize
465B
MD52f13b98d95363e95aabbb2815f4c79f5
SHA1894e1898c845663b41b846e4a1f62d2915f435e9
SHA256d509af1f246fa1098fdc5cd42bbc2e6661f7429aaaa63ae0534ff5d66ab88bbd
SHA5125a41a02b383ddc610175fdcf0eb8534e786f39524c9136e1fd888459e21916750c12c8f13bc5833f969ac68affa27e1bf5ab88e4d063fa81aa796db1ff850271
-
C:\Users\Admin\AppData\Local\Temp\uoqr5BM.batFilesize
493B
MD50b0ada48c0468524d8bee63ff210e57a
SHA1484165ed3b24f2b28704faa42ef9318ca7b1a785
SHA2569c4db750af3664477908bb076ca10378460fe1ccb0ab2b6ce1262ac01b8a48d9
SHA512758e717804c0884dcd66a7b4416118f547735c718c76d721a57b7f6abdaae6638490f7b7b25d89088e4f337733885621d2dd9c9bf42ceb66234ee6b18d26bf7e
-
C:\Users\Admin\AppData\Local\Temp\~bziteeq.exeFilesize
546KB
MD53e350eb5df15c06dec400a39dd1c6f29
SHA1f1434cfef2c05fda919922b721ec1a17adb3194e
SHA256427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419
SHA512b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6
-
C:\Users\Admin\AppData\Local\Temp\~bziteeq.exeFilesize
546KB
MD53e350eb5df15c06dec400a39dd1c6f29
SHA1f1434cfef2c05fda919922b721ec1a17adb3194e
SHA256427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419
SHA512b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6
-
C:\Users\Admin\AppData\Local\Temp\~bziteeq.exeFilesize
546KB
MD53e350eb5df15c06dec400a39dd1c6f29
SHA1f1434cfef2c05fda919922b721ec1a17adb3194e
SHA256427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419
SHA512b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6
-
C:\Users\Admin\AppData\Local\Temp\~jpyedyb.infFilesize
32B
MD58f5f4837dd4a1680d79bbdca9cc1e08f
SHA1688b5d5ef993733b97b303ed4c8409a14b230de5
SHA2562bce6b9395cc74d16b9c94fd90debd9d524ffb53c6f6ae3a49b6e139671417b2
SHA512bd75b564fe3c93dffdc65fe58463378f54268308ca5eaba5fc7f80458016f331a6596bfdaf63845c1d5c6c60df2a0ec2aff94d2aae7797da4f5f975f0363bd66
-
\Users\Admin\AppData\Local\Temp\deutdqw.exeFilesize
11.7MB
MD54dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
\Users\Admin\AppData\Local\Temp\deutdqw.exeFilesize
11.7MB
MD54dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
\Users\Admin\AppData\Local\Temp\froonyx.exeFilesize
11.7MB
MD54dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
\Users\Admin\AppData\Local\Temp\froonyx.exeFilesize
11.7MB
MD54dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
\Users\Admin\AppData\Local\Temp\iyjplaz\xxmiila.exeFilesize
11.7MB
MD54dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
\Users\Admin\AppData\Local\Temp\iyjplaz\xxmiila.exeFilesize
11.7MB
MD54dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
\Users\Admin\AppData\Local\Temp\~bziteeq.exeFilesize
546KB
MD53e350eb5df15c06dec400a39dd1c6f29
SHA1f1434cfef2c05fda919922b721ec1a17adb3194e
SHA256427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419
SHA512b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6
-
\Users\Admin\AppData\Local\Temp\~bziteeq.exeFilesize
546KB
MD53e350eb5df15c06dec400a39dd1c6f29
SHA1f1434cfef2c05fda919922b721ec1a17adb3194e
SHA256427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419
SHA512b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6
-
\Users\Admin\AppData\Local\Temp\~bziteeq.exeFilesize
546KB
MD53e350eb5df15c06dec400a39dd1c6f29
SHA1f1434cfef2c05fda919922b721ec1a17adb3194e
SHA256427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419
SHA512b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6
-
\Users\Admin\AppData\Local\Temp\~bziteeq.exeFilesize
546KB
MD53e350eb5df15c06dec400a39dd1c6f29
SHA1f1434cfef2c05fda919922b721ec1a17adb3194e
SHA256427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419
SHA512b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6
-
\Users\Admin\AppData\Local\Temp\~bziteeq.exeFilesize
546KB
MD53e350eb5df15c06dec400a39dd1c6f29
SHA1f1434cfef2c05fda919922b721ec1a17adb3194e
SHA256427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419
SHA512b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6
-
\Users\Admin\AppData\Local\Temp\~bziteeq.exeFilesize
546KB
MD53e350eb5df15c06dec400a39dd1c6f29
SHA1f1434cfef2c05fda919922b721ec1a17adb3194e
SHA256427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419
SHA512b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6
-
memory/528-70-0x0000000000000000-mapping.dmp
-
memory/780-100-0x0000000000000000-mapping.dmp
-
memory/952-96-0x0000000000000000-mapping.dmp
-
memory/1068-87-0x0000000000000000-mapping.dmp
-
memory/1096-54-0x00000000768D1000-0x00000000768D3000-memory.dmpFilesize
8KB
-
memory/1180-90-0x0000000000000000-mapping.dmp
-
memory/1304-82-0x0000000000000000-mapping.dmp
-
memory/1364-65-0x0000000000000000-mapping.dmp
-
memory/1640-74-0x0000000000000000-mapping.dmp
-
memory/1644-94-0x0000000000000000-mapping.dmp
-
memory/1672-92-0x0000000000000000-mapping.dmp
-
memory/1672-93-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmpFilesize
8KB
-
memory/1760-79-0x0000000000000000-mapping.dmp
-
memory/1764-59-0x0000000000000000-mapping.dmp
-
memory/1764-97-0x0000000000000000-mapping.dmp
-
memory/1776-101-0x0000000000000000-mapping.dmp
-
memory/1928-77-0x0000000000000000-mapping.dmp
-
memory/1996-102-0x0000000000000000-mapping.dmp
-
memory/2004-55-0x0000000000000000-mapping.dmp