925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3

Analysis

max time kernel
45s
max time network
51s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-05-2022 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Size

5.6MB
MD5

f3433495a1a45857b3192203617166d1
SHA1

e30fee713805f3f6985b0d9bfc3ac270c9a9b995
SHA256

925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3
SHA512

94a1bf66d86be1a0ecac6f51fe45c7da6c62989abcd6293c104c78dd2d29293de905cec3123170d7a5e640e634c4497942c87d54433b9da1628d785c8d3cce67

Score

10^/10

adware evasion persistence spyware stealer trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Drops file in Drivers directory 2 IoCs

Processes:

925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File created	C:\Windows\System32\drivers\etc\hosts	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

Executes dropped EXE 6 IoCs

Processes:

qsdlpaz.exeqertnya.exe~kqmndni.exe~kqmndni.exeqfkymvb.exe~kqmndni.exe

pid process

1256 qsdlpaz.exe
1152 qertnya.exe
1836 ~kqmndni.exe
1320 ~kqmndni.exe
1896 qfkymvb.exe
836 ~kqmndni.exe

pid	process
1256	qsdlpaz.exe
1152	qertnya.exe
1836	~kqmndni.exe
1320	~kqmndni.exe
1896	qfkymvb.exe
836	~kqmndni.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nqbzdvw\qsdlpaz.exe	upx
\Users\Admin\AppData\Local\Temp\nqbzdvw\qsdlpaz.exe	upx
C:\Users\Admin\AppData\Local\Temp\nqbzdvw\qsdlpaz.exe	upx
C:\Users\Admin\AppData\Local\Temp\nqbzdvw\qsdlpaz.exe	upx
\Users\Admin\AppData\Local\Temp\qertnya.exe	upx
C:\Users\Admin\AppData\Local\Temp\qertnya.exe	upx
\Users\Admin\AppData\Local\Temp\qertnya.exe	upx
C:\Users\Admin\AppData\Local\Temp\qertnya.exe	upx
\Users\Admin\AppData\Local\Temp\qfkymvb.exe	upx
\Users\Admin\AppData\Local\Temp\qfkymvb.exe	upx
C:\Users\Admin\AppData\Local\Temp\qfkymvb.exe	upx
C:\Users\Admin\AppData\Local\Temp\qfkymvb.exe	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1256 cmd.exe

pid	process
1256	cmd.exe

Drops startup file 1 IoCs

Processes:

925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

Loads dropped DLL 12 IoCs

Processes:

925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

pid	process
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
108
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
1584
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
272

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exeRundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RUNONCEEX	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNONCE	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNONCEEX	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnceEx	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RUNONCE	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	Rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCE	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

description	ioc	process
File opened (read-only)	\??\l:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\n:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\s:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\t:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\w:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\x:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\b:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\i:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\o:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\y:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\e:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\f:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\h:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\p:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\r:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\v:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\z:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\a:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\g:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\j:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\k:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\m:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\q:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
File opened (read-only)	\??\u:	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in Program Files directory 1 IoCs

Processes:

925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

Drops file in Windows directory 1 IoCs

Processes:

Rundll32.exe

description ioc process

File opened for modification C:\Windows\INF\setupapi.app.log Rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.app.log	Rundll32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

~kqmndni.exe925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe~kqmndni.exe~kqmndni.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN	~kqmndni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\First Home Page = "http://www.136156.com/?30508"	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.136156.com/?30508"	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\First Home Page = "http://www.136156.com/?30508"	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.136156.com/?30508"	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN	~kqmndni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN	~kqmndni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.136156.com/?30508"	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\First Home Page = "http://www.136156.com/?30508"	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

Modifies Internet Explorer start page 1 TTPs 3 IoCs

stealer

Modify Registry

T1112

Processes:

925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.136156.com/?30508"	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.136156.com/?30508"	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.136156.com/?30508"	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

Modifies registry class 35 IoCs

Processes:

925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920E6DB1-9907-4370-B3A0-BAFC03D81399}	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns\ = "在没有加载项的情况下启动"	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_Classes\Local Settings	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open\Command	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set\ = "属性(&R)"	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920E6DB1-9907-4370-B3A0-BAFC03D81399}\InprocServer32	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16F3DD56-1AF5-4347-846D-7C10C4192619}\InprocServer32	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\ = "Internet Explorer"	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns\Command	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set\Command\ = "C:\\Windows\\SysWOW64\\rundll32.exe C:\\Windows\\SysWOW64\\shell32.dll,Control_RunDLL C:\\Windows\\SysWOW64\\inetcpl.cpl"	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{16F3DD56-1AF5-4347-846D-7C10C4192619}	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\DefaultIcon\ = "C:\\Windows\\SysWOW64\\ieframe.dll,-190"	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open\ = "打开主页(&H)"	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}\InprocServer32	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open\Command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\""	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FD978C-D287-4F50-827F-B2C658EDA8E7}	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns\Command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" -extoff"	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set\Command	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}\InprocServer32	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\DefaultIcon	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FD978C-D287-4F50-827F-B2C658EDA8E7}\InprocServer32	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1248 PING.EXE
1560 PING.EXE
1564 PING.EXE

pid	process
1248	PING.EXE
1560	PING.EXE
1564	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

pid	process
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
1812	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
1812	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
1812	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

pid process

860 925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

qertnya.exe~kqmndni.exe~kqmndni.exeqfkymvb.exe~kqmndni.exeRundll32.exe

description	pid	process
Token: SeRestorePrivilege	1152	qertnya.exe
Token: SeTakeOwnershipPrivilege	1152	qertnya.exe
Token: SeDebugPrivilege	1152	qertnya.exe
Token: SeSecurityPrivilege	1152	qertnya.exe
Token: SeBackupPrivilege	1836	~kqmndni.exe
Token: SeRestorePrivilege	1836	~kqmndni.exe
Token: SeTakeOwnershipPrivilege	1836	~kqmndni.exe
Token: SeBackupPrivilege	1320	~kqmndni.exe
Token: SeRestorePrivilege	1320	~kqmndni.exe
Token: SeTakeOwnershipPrivilege	1320	~kqmndni.exe
Token: SeRestorePrivilege	1896	qfkymvb.exe
Token: SeTakeOwnershipPrivilege	1896	qfkymvb.exe
Token: SeDebugPrivilege	1896	qfkymvb.exe
Token: SeSecurityPrivilege	1896	qfkymvb.exe
Token: SeBackupPrivilege	836	~kqmndni.exe
Token: SeRestorePrivilege	836	~kqmndni.exe
Token: SeTakeOwnershipPrivilege	836	~kqmndni.exe
Token: SeRestorePrivilege	1504	Rundll32.exe
Token: SeRestorePrivilege	1504	Rundll32.exe
Token: SeRestorePrivilege	1504	Rundll32.exe
Token: SeRestorePrivilege	1504	Rundll32.exe
Token: SeRestorePrivilege	1504	Rundll32.exe
Token: SeRestorePrivilege	1504	Rundll32.exe
Token: SeRestorePrivilege	1504	Rundll32.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

pid	process
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

Suspicious use of SendNotifyMessage 34 IoCs

Processes:

925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

pid	process
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exeqsdlpaz.execmd.exeRundll32.exerunonce.execmd.execmd.exe

description	pid	process	target process
PID 860 wrote to memory of 1812	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
PID 860 wrote to memory of 1812	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
PID 860 wrote to memory of 1812	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
PID 860 wrote to memory of 1812	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
PID 860 wrote to memory of 1256	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	qsdlpaz.exe
PID 860 wrote to memory of 1256	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	qsdlpaz.exe
PID 860 wrote to memory of 1256	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	qsdlpaz.exe
PID 860 wrote to memory of 1256	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	qsdlpaz.exe
PID 860 wrote to memory of 1152	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	qertnya.exe
PID 860 wrote to memory of 1152	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	qertnya.exe
PID 860 wrote to memory of 1152	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	qertnya.exe
PID 860 wrote to memory of 1152	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	qertnya.exe
PID 1256 wrote to memory of 1724	1256	qsdlpaz.exe	cmd.exe
PID 1256 wrote to memory of 1724	1256	qsdlpaz.exe	cmd.exe
PID 1256 wrote to memory of 1724	1256	qsdlpaz.exe	cmd.exe
PID 1256 wrote to memory of 1724	1256	qsdlpaz.exe	cmd.exe
PID 1724 wrote to memory of 1248	1724	cmd.exe	PING.EXE
PID 1724 wrote to memory of 1248	1724	cmd.exe	PING.EXE
PID 1724 wrote to memory of 1248	1724	cmd.exe	PING.EXE
PID 860 wrote to memory of 1836	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	~kqmndni.exe
PID 860 wrote to memory of 1836	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	~kqmndni.exe
PID 860 wrote to memory of 1836	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	~kqmndni.exe
PID 860 wrote to memory of 1836	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	~kqmndni.exe
PID 860 wrote to memory of 1320	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	~kqmndni.exe
PID 860 wrote to memory of 1320	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	~kqmndni.exe
PID 860 wrote to memory of 1320	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	~kqmndni.exe
PID 860 wrote to memory of 1320	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	~kqmndni.exe
PID 860 wrote to memory of 1896	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	qfkymvb.exe
PID 860 wrote to memory of 1896	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	qfkymvb.exe
PID 860 wrote to memory of 1896	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	qfkymvb.exe
PID 860 wrote to memory of 1896	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	qfkymvb.exe
PID 860 wrote to memory of 836	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	~kqmndni.exe
PID 860 wrote to memory of 836	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	~kqmndni.exe
PID 860 wrote to memory of 836	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	~kqmndni.exe
PID 860 wrote to memory of 836	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	~kqmndni.exe
PID 860 wrote to memory of 1504	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	Rundll32.exe
PID 860 wrote to memory of 1504	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	Rundll32.exe
PID 860 wrote to memory of 1504	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	Rundll32.exe
PID 860 wrote to memory of 1504	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	Rundll32.exe
PID 1504 wrote to memory of 1044	1504	Rundll32.exe	runonce.exe
PID 1504 wrote to memory of 1044	1504	Rundll32.exe	runonce.exe
PID 1504 wrote to memory of 1044	1504	Rundll32.exe	runonce.exe
PID 1044 wrote to memory of 1932	1044	runonce.exe	grpconv.exe
PID 1044 wrote to memory of 1932	1044	runonce.exe	grpconv.exe
PID 1044 wrote to memory of 1932	1044	runonce.exe	grpconv.exe
PID 860 wrote to memory of 1256	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	cmd.exe
PID 860 wrote to memory of 1256	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	cmd.exe
PID 860 wrote to memory of 1256	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	cmd.exe
PID 860 wrote to memory of 1256	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	cmd.exe
PID 860 wrote to memory of 1376	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	cmd.exe
PID 860 wrote to memory of 1376	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	cmd.exe
PID 860 wrote to memory of 1376	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	cmd.exe
PID 860 wrote to memory of 1376	860	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe	cmd.exe
PID 1256 wrote to memory of 1560	1256	cmd.exe	PING.EXE
PID 1256 wrote to memory of 1560	1256	cmd.exe	PING.EXE
PID 1256 wrote to memory of 1560	1256	cmd.exe	PING.EXE
PID 1376 wrote to memory of 1564	1376	cmd.exe	PING.EXE
PID 1376 wrote to memory of 1564	1376	cmd.exe	PING.EXE
PID 1376 wrote to memory of 1564	1376	cmd.exe	PING.EXE

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe

C:\Users\Admin\AppData\Local\Temp\925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
"C:\Users\Admin\AppData\Local\Temp\925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:860

C:\Users\Admin\AppData\Local\Temp\925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe
C:\Users\Admin\AppData\Local\Temp\925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3.exe /nstart
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1812

C:\Users\Admin\AppData\Local\Temp\nqbzdvw\qsdlpaz.exe
C:\Users\Admin\AppData\Local\Temp\nqbzdvw\qsdlpaz.exe /nys
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\6UwAPSn.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\PING.EXE
ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1248

C:\Users\Admin\AppData\Local\Temp\qertnya.exe
C:\Users\Admin\AppData\Local\Temp\qertnya.exe /HomeRegAccess10
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Users\Admin\AppData\Local\Temp\~kqmndni.exe
C:\Users\Admin\AppData\Local\Temp\~kqmndni.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn setowner -ownr "n:Administrators"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Users\Admin\AppData\Local\Temp\~kqmndni.exe
C:\Users\Admin\AppData\Local\Temp\~kqmndni.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn ace -ace "n:Everyone;p:full;i:np;m:set" -rec no
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Users\Admin\AppData\Local\Temp\qfkymvb.exe
C:\Users\Admin\AppData\Local\Temp\qfkymvb.exe /HomeRegAccess10
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Users\Admin\AppData\Local\Temp\~kqmndni.exe
C:\Users\Admin\AppData\Local\Temp\~kqmndni.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn ace -ace "n:Everyone;p:full;i:np;m:set" -rec no
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\system32\Rundll32.exe
Rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\Users\Admin\AppData\Local\Temp\~qfghzey.inf
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
3⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
4⤵
PID:1932

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\0paQ4xq.bat
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\system32\PING.EXE
ping -n 1 127.0.0.1
3⤵
- Runs ping.exe
PID:1560

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\iJBHTwP.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\system32\PING.EXE
ping -n 1 127.0.0.1
3⤵
- Runs ping.exe
PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0paQ4xq.bat
Filesize
465B

MD5
eabcf646098e41bd9981011e104891e1

SHA1
1f04eb1b34649b5e298867a2f9fb9738968249fc

SHA256
e420f999a3f32307e52391b3f822ce88dfa4883355f4a7f908eeca2fe751370e

SHA512
5f0828c1ebb0e17cb53ad90d96219f69c47d1a0274ed5c5bc91160b580f7f780d2fef6ae3244074aba9ec0c71bc3368e918a18ed14087000010ba1b87559935c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6UwAPSn.bat
Filesize
493B

MD5
c3618f8f52b629e6f4cc807d019d301e

SHA1
b394f0b29e320a8b1ec09cb723a9170193332171

SHA256
7501c8373b4cb911deec3bb357b4ef7069d19919f9c0ac3778b933ebbf04c5c6

SHA512
7162b0c3793325c6df20201fd5009043a8b2b3a3bc77d1b9cfbf11e32cb04880c852e6936f3dbcfa671501c2e94876fe101a9345c19a7937a812b33f709ea02b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iJBHTwP.bat
Filesize
689B

MD5
d599a83f6821902e8ed30ce1be2c903d

SHA1
758bc863ac0283b89a478cb9046aaf579065b55e

SHA256
f94c975c718f6658605c00a143fa617f23517a1d502b7fdc466bf8ddc0f726f9

SHA512
df2c230d0e9aebc56765d7041e4482b92ea03136299132852f86ecd2329c362ac77352ec52ca6894cbb2ac8eead460b35d9ab45b9b987542a0796ade3a4fab5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqbzdvw\qsdlpaz.exe
Filesize
5.6MB

MD5
f3433495a1a45857b3192203617166d1

SHA1
e30fee713805f3f6985b0d9bfc3ac270c9a9b995

SHA256
925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3

SHA512
94a1bf66d86be1a0ecac6f51fe45c7da6c62989abcd6293c104c78dd2d29293de905cec3123170d7a5e640e634c4497942c87d54433b9da1628d785c8d3cce67

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqbzdvw\qsdlpaz.exe
Filesize
5.6MB

MD5
f3433495a1a45857b3192203617166d1

SHA1
e30fee713805f3f6985b0d9bfc3ac270c9a9b995

SHA256
925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3

SHA512
94a1bf66d86be1a0ecac6f51fe45c7da6c62989abcd6293c104c78dd2d29293de905cec3123170d7a5e640e634c4497942c87d54433b9da1628d785c8d3cce67

Download Submit
C:\Users\Admin\AppData\Local\Temp\qertnya.exe
Filesize
5.6MB

MD5
f3433495a1a45857b3192203617166d1

SHA1
e30fee713805f3f6985b0d9bfc3ac270c9a9b995

SHA256
925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3

SHA512
94a1bf66d86be1a0ecac6f51fe45c7da6c62989abcd6293c104c78dd2d29293de905cec3123170d7a5e640e634c4497942c87d54433b9da1628d785c8d3cce67

Download Submit
C:\Users\Admin\AppData\Local\Temp\qertnya.exe
Filesize
5.6MB

MD5
f3433495a1a45857b3192203617166d1

SHA1
e30fee713805f3f6985b0d9bfc3ac270c9a9b995

SHA256
925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3

SHA512
94a1bf66d86be1a0ecac6f51fe45c7da6c62989abcd6293c104c78dd2d29293de905cec3123170d7a5e640e634c4497942c87d54433b9da1628d785c8d3cce67

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfkymvb.exe
Filesize
5.6MB

MD5
f3433495a1a45857b3192203617166d1

SHA1
e30fee713805f3f6985b0d9bfc3ac270c9a9b995

SHA256
925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3

SHA512
94a1bf66d86be1a0ecac6f51fe45c7da6c62989abcd6293c104c78dd2d29293de905cec3123170d7a5e640e634c4497942c87d54433b9da1628d785c8d3cce67

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfkymvb.exe
Filesize
5.6MB

MD5
f3433495a1a45857b3192203617166d1

SHA1
e30fee713805f3f6985b0d9bfc3ac270c9a9b995

SHA256
925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3

SHA512
94a1bf66d86be1a0ecac6f51fe45c7da6c62989abcd6293c104c78dd2d29293de905cec3123170d7a5e640e634c4497942c87d54433b9da1628d785c8d3cce67

Download Submit
C:\Users\Admin\AppData\Local\Temp\~kqmndni.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~kqmndni.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~kqmndni.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~qfghzey.inf
Filesize
32B

MD5
8f5f4837dd4a1680d79bbdca9cc1e08f

SHA1
688b5d5ef993733b97b303ed4c8409a14b230de5

SHA256
2bce6b9395cc74d16b9c94fd90debd9d524ffb53c6f6ae3a49b6e139671417b2

SHA512
bd75b564fe3c93dffdc65fe58463378f54268308ca5eaba5fc7f80458016f331a6596bfdaf63845c1d5c6c60df2a0ec2aff94d2aae7797da4f5f975f0363bd66

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nqbzdvw\qsdlpaz.exe
Filesize
5.6MB

MD5
f3433495a1a45857b3192203617166d1

SHA1
e30fee713805f3f6985b0d9bfc3ac270c9a9b995

SHA256
925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3

SHA512
94a1bf66d86be1a0ecac6f51fe45c7da6c62989abcd6293c104c78dd2d29293de905cec3123170d7a5e640e634c4497942c87d54433b9da1628d785c8d3cce67

Download Submit
\Users\Admin\AppData\Local\Temp\nqbzdvw\qsdlpaz.exe
Filesize
5.6MB

MD5
f3433495a1a45857b3192203617166d1

SHA1
e30fee713805f3f6985b0d9bfc3ac270c9a9b995

SHA256
925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3

SHA512
94a1bf66d86be1a0ecac6f51fe45c7da6c62989abcd6293c104c78dd2d29293de905cec3123170d7a5e640e634c4497942c87d54433b9da1628d785c8d3cce67

Download Submit
\Users\Admin\AppData\Local\Temp\qertnya.exe
Filesize
5.6MB

MD5
f3433495a1a45857b3192203617166d1

SHA1
e30fee713805f3f6985b0d9bfc3ac270c9a9b995

SHA256
925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3

SHA512
94a1bf66d86be1a0ecac6f51fe45c7da6c62989abcd6293c104c78dd2d29293de905cec3123170d7a5e640e634c4497942c87d54433b9da1628d785c8d3cce67

Download Submit
\Users\Admin\AppData\Local\Temp\qertnya.exe
Filesize
5.6MB

MD5
f3433495a1a45857b3192203617166d1

SHA1
e30fee713805f3f6985b0d9bfc3ac270c9a9b995

SHA256
925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3

SHA512
94a1bf66d86be1a0ecac6f51fe45c7da6c62989abcd6293c104c78dd2d29293de905cec3123170d7a5e640e634c4497942c87d54433b9da1628d785c8d3cce67

Download Submit
\Users\Admin\AppData\Local\Temp\qfkymvb.exe
Filesize
5.6MB

MD5
f3433495a1a45857b3192203617166d1

SHA1
e30fee713805f3f6985b0d9bfc3ac270c9a9b995

SHA256
925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3

SHA512
94a1bf66d86be1a0ecac6f51fe45c7da6c62989abcd6293c104c78dd2d29293de905cec3123170d7a5e640e634c4497942c87d54433b9da1628d785c8d3cce67

Download Submit
\Users\Admin\AppData\Local\Temp\qfkymvb.exe
Filesize
5.6MB

MD5
f3433495a1a45857b3192203617166d1

SHA1
e30fee713805f3f6985b0d9bfc3ac270c9a9b995

SHA256
925179ae977026a407fcacba6c42bf28c0db1ae4abcc7838dcc02d64967f76f3

SHA512
94a1bf66d86be1a0ecac6f51fe45c7da6c62989abcd6293c104c78dd2d29293de905cec3123170d7a5e640e634c4497942c87d54433b9da1628d785c8d3cce67

Download Submit
\Users\Admin\AppData\Local\Temp\~kqmndni.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
\Users\Admin\AppData\Local\Temp\~kqmndni.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
\Users\Admin\AppData\Local\Temp\~kqmndni.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
\Users\Admin\AppData\Local\Temp\~kqmndni.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
\Users\Admin\AppData\Local\Temp\~kqmndni.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
\Users\Admin\AppData\Local\Temp\~kqmndni.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit
memory/836-88-0x0000000000000000-mapping.dmp

Download
memory/860-54-0x00000000763C1000-0x00000000763C3000-memory.dmp

Filesize
8KB

Download
memory/1044-94-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp

Filesize
8KB

Download
memory/1044-93-0x0000000000000000-mapping.dmp

Download
memory/1152-65-0x0000000000000000-mapping.dmp

Download
memory/1248-71-0x0000000000000000-mapping.dmp

Download
memory/1256-97-0x0000000000000000-mapping.dmp

Download
memory/1256-59-0x0000000000000000-mapping.dmp

Download
memory/1320-77-0x0000000000000000-mapping.dmp

Download
memory/1376-98-0x0000000000000000-mapping.dmp

Download
memory/1504-91-0x0000000000000000-mapping.dmp

Download
memory/1560-101-0x0000000000000000-mapping.dmp

Download
memory/1564-102-0x0000000000000000-mapping.dmp

Download
memory/1724-69-0x0000000000000000-mapping.dmp

Download
memory/1812-55-0x0000000000000000-mapping.dmp

Download
memory/1836-73-0x0000000000000000-mapping.dmp

Download
memory/1896-82-0x0000000000000000-mapping.dmp

Download
memory/1932-95-0x0000000000000000-mapping.dmp

Download