Analysis
-
max time kernel
120s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2023 04:20
Static task
static1
Behavioral task
behavioral1
Sample
8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe
Resource
win10v2004-20230220-en
General
-
Target
8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe
-
Size
5.2MB
-
MD5
070c397b7d77be8f730a01b64d3c03c3
-
SHA1
dc32d188461e552bb72ed0fb16e0af45dd62bde5
-
SHA256
8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851
-
SHA512
1fc0725fc03530f5add5a9c161f52852f8c7878f7a617a7275fef463891787617b3dc3a3d16fc33494715e0d4f538cf08dace64d4c40b461443a9b334c7d6925
-
SSDEEP
98304:4nhLTDcdqwb3KfoNpUSMxQ7pbw+abYNuJ+l7:Wc4qKiSD
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\plugin\MOMOPLUGIN.DLL acprotect C:\Users\Admin\AppData\Local\Temp\plugin\MOMOPLUGIN.DLL acprotect -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Wine 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe -
Loads dropped DLL 13 IoCs
Processes:
8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exepid process 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\plugin\MOMOPLUGIN.DLL upx C:\Users\Admin\AppData\Local\Temp\plugin\MOMOPLUGIN.DLL upx behavioral2/memory/1328-430-0x0000000011000000-0x000000001101D000-memory.dmp upx -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exedescription ioc process File opened for modification \??\PhysicalDrive0 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe -
Processes:
8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DOMStorage\vrbrothers.com 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\vrbrothers.com\NumberOfSubdomains = "1" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\RNA20E56AA7517B0F5078CDC0A97790E07E42321D55C80D3F96165B85FA4CABFB9E9664E44AAB3A66D719FEEE82435F2BFA045B19CC725603DB889FAFDEB3ABCFB24BE8D43C37521DFE32BF0244FFC2D337E12B58E406D56933A7CDDE8BD8 = "8747E76F996AE043" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\vrbrothers.com\Total = "63" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\vrbrothers.com 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DOMStorage\ad.vrbrothers.com 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ad.vrbrothers.com\ = "63" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe -
Modifies registry class 64 IoCs
Processes:
8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\ = "QMPlugin.File" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16426152-126E-4FC8-B430-1C6143484AA9} 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CD1C3DD-3B52-4A04-B41F-7DB75A0B8B53} 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7CD1C3DD-3B52-4A04-B41F-7DB75A0B8B53}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1F3A735B-126E-4FC8-B430-1C6143484AA9}\InProcServer32 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Window\ = "QMPlugin.Window" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD14FA99-CEED-4208-A201-7797DDA6D21F}\Programmable 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1F3A735B-126E-4FC8-B430-1C6143484AA9}\ = "QMPlugin.Encrypt" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9} 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33414471-126E-4FC8-B430-1C6143484AA9}\ProgID 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Encrypt\CLSID\ = "{1F3A735B-126E-4FC8-B430-1C6143484AA9}" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1F3A735B-126E-4FC8-B430-1C6143484AA9}\ProgID 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\plugin\\FILE.dll" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16426152-126E-4FC8-B430-1C6143484AA9}\InProcServer32\ThreadingModel = "Apartment" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6225623E-5BFE-4473-BBC5-5B77D5695744} 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CD1C3DD-3B52-4A04-B41F-7DB75A0B8B53}\ProxyStubClsid32 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CD1C3DD-3B52-4A04-B41F-7DB75A0B8B53}\TypeLib\Version = "1.0" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Sys\CLSID 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.momoplugin\Clsid 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD14FA99-CEED-4208-A201-7797DDA6D21F}\ = "QMPlugin.momoplugin" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1F3A735B-126E-4FC8-B430-1C6143484AA9} 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.momoplugin 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.File\ = "QMPlugin.File" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33414471-126E-4FC8-B430-1C6143484AA9}\InProcServer32 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7CD1C3DD-3B52-4A04-B41F-7DB75A0B8B53} 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD14FA99-CEED-4208-A201-7797DDA6D21F}\ProgID\ = "QMPlugin.momoplugin" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7CD1C3DD-3B52-4A04-B41F-7DB75A0B8B53}\ProxyStubClsid 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\ProgID 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6225623E-5BFE-4473-BBC5-5B77D5695744}\1.0\FLAGS\ = "0" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16426152-126E-4FC8-B430-1C6143484AA9}\InProcServer32 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6225623E-5BFE-4473-BBC5-5B77D5695744}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\plugin" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\InProcServer32\ThreadingModel = "Apartment" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6225623E-5BFE-4473-BBC5-5B77D5695744}\1.0\ = "QMPlugin" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7CD1C3DD-3B52-4A04-B41F-7DB75A0B8B53}\TypeLib\ = "{6225623E-5BFE-4473-BBC5-5B77D5695744}" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16426152-126E-4FC8-B430-1C6143484AA9}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\plugin\\WINDOW.dll" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD14FA99-CEED-4208-A201-7797DDA6D21F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\plugin\\MOMOPLUGIN.dll" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\InProcServer32 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD14FA99-CEED-4208-A201-7797DDA6D21F}\VERSION 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Window\CLSID 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7CD1C3DD-3B52-4A04-B41F-7DB75A0B8B53}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Sys 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD14FA99-CEED-4208-A201-7797DDA6D21F}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment" 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD14FA99-CEED-4208-A201-7797DDA6D21F} 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exepid process 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exepid process 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exepid process 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe 1328 8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe"C:\Users\Admin\AppData\Local\Temp\8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\k[1].jsFilesize
94B
MD5514eb157c352678fe6e6ffb103579bfa
SHA15892249a4b53845b0761623aefa1c0d251ccf7da
SHA2565e0f936c52cb1e65ccda6fe580472f66166fa4687aeb931c2f0b25bf8c858daf
SHA51291832b7b508d3386e65bea57a42c5b8af73f5cee55efa0b05ffb8dc9a60473cec718f2d28a9d8c7420ae92ec6ba43a1df598541571ffed4726a61fa4b8703edc
-
C:\Users\Admin\AppData\Local\Temp\71E9.tmpFilesize
338B
MD52fd3d62ff3abcbd958e582f34d16ef0f
SHA135afb3d08e84744d79419ed56b5f9ad0089ff499
SHA256118cb7a487df23fadc028b1454c6430f8a815173d8b0087961577fc52c4a3e49
SHA512749a6e325dac70ffddea7a283f63d7d241dd735cf498a92c27c9e5f560c782830411b20c271169bebe87e61ca742d5febe0cbfe9ce75b21a4bf967de11f86f71
-
C:\Users\Admin\AppData\Local\Temp\8d89b8acb10cf6d30f00e65b2499de8df3db154dec15a8190408db7ef3b76851.iniFilesize
137B
MD58ff880865f48e318a84fa66c283b8be9
SHA1743670044d4c90abcf95a2f3436f64f3809e3546
SHA256fc968675de79e462042d2b6685d7d08da9fa0ddcfbbc3cdc31e80e8a00947773
SHA5125928617382f9bacbdf8ec437d1ed1de11a034e0cf309a1385e2849eb8bdb9d60410b4a9cf53aa4ae9336e86fd4c52350a15b8c67264f5fe64842c21a25c46151
-
C:\Users\Admin\AppData\Local\Temp\ad-mymacro9.xml.tmpFilesize
3KB
MD56a004b4196400a627b5b6248a2a2dcba
SHA1fa9a555e83a4c3a73e07a728ec92827f55fbcf02
SHA2569cd3e3f97866082f8edfed25d56b40786c2809f264c4f8b10c022403e7f0f101
SHA5121b5cea41dce0742e4ba7a7f3c4bef3eefc92c63d267a306e4098c68b768723abc0f0eace4a486ff3f4b1bb8a74279dd04e9c2a48df9a20125c21209e3d205624
-
C:\Users\Admin\AppData\Local\Temp\cfgdll.dllFilesize
59KB
MD53f9711ab8cfa0cbbeaeceba7904c8700
SHA194085220d65eb8c572fb394ab0d19815dcf80680
SHA256517df7f719bcc34ea934868e46c77932768ee77abccc3bccac62bf9bfeed0af5
SHA512e595acdc6b857a6180f88ddb0bd8c50f66bd1768d129e996dcd8934e9462150d041dc79addd2251b933e1a63ccccf03070ecce8ed485ea35622af1c18c60fcc5
-
C:\Users\Admin\AppData\Local\Temp\cfgdll.dllFilesize
59KB
MD53f9711ab8cfa0cbbeaeceba7904c8700
SHA194085220d65eb8c572fb394ab0d19815dcf80680
SHA256517df7f719bcc34ea934868e46c77932768ee77abccc3bccac62bf9bfeed0af5
SHA512e595acdc6b857a6180f88ddb0bd8c50f66bd1768d129e996dcd8934e9462150d041dc79addd2251b933e1a63ccccf03070ecce8ed485ea35622af1c18c60fcc5
-
C:\Users\Admin\AppData\Local\Temp\plugin\ENCRYPT.DLLFilesize
36KB
MD5bb4fc9c6d89e2bce4f0ba8145fb9cc2a
SHA1dabf41d3bc08ac4d24fb6a675e7c659b853ee0b5
SHA2568eb6877e20f7ede585e957f5301a0418ad022832ceb16cd158d516c9a11873b7
SHA512dc94e10f473245f4d42838ab71aa3d0476259ee0b783cfd54182b2586411810401bed92a8c4726a5003008999cf7c5aaf1b85226e7104075750ce3045ad931c1
-
C:\Users\Admin\AppData\Local\Temp\plugin\ENCRYPT.DLLFilesize
36KB
MD5bb4fc9c6d89e2bce4f0ba8145fb9cc2a
SHA1dabf41d3bc08ac4d24fb6a675e7c659b853ee0b5
SHA2568eb6877e20f7ede585e957f5301a0418ad022832ceb16cd158d516c9a11873b7
SHA512dc94e10f473245f4d42838ab71aa3d0476259ee0b783cfd54182b2586411810401bed92a8c4726a5003008999cf7c5aaf1b85226e7104075750ce3045ad931c1
-
C:\Users\Admin\AppData\Local\Temp\plugin\ENCRYPT.DLLFilesize
36KB
MD5bb4fc9c6d89e2bce4f0ba8145fb9cc2a
SHA1dabf41d3bc08ac4d24fb6a675e7c659b853ee0b5
SHA2568eb6877e20f7ede585e957f5301a0418ad022832ceb16cd158d516c9a11873b7
SHA512dc94e10f473245f4d42838ab71aa3d0476259ee0b783cfd54182b2586411810401bed92a8c4726a5003008999cf7c5aaf1b85226e7104075750ce3045ad931c1
-
C:\Users\Admin\AppData\Local\Temp\plugin\ENCRYPT.iniFilesize
291B
MD52863ef76e4d248dc1d569f1eac73cf59
SHA123173afaeac9571427ff5b4e4344607f36d3ce9b
SHA256344f9a77096b53c96f1c119839b03b1291983e30322e8886dc5a2928da76c776
SHA512fafb6ec0cef62fcd2ba5388fc9d1134655eeaa61cf372d7e988b71fb752ab25c62444efc4f881586357323427b7edf6c8f0d860ad2af5ad7a8044f78d220ccfe
-
C:\Users\Admin\AppData\Local\Temp\plugin\FILE.DLLFilesize
40KB
MD51b12290100f56cf13ac7bd631adebe7d
SHA1d996c99e4ccb91876e9da397ec547aebb83c0c94
SHA256c9515d3d0e549e978fdd8ae762bd7b73f1ec1dd49c058ad9cd4537902db87670
SHA512cd0e417f7ef5d1749f78bded6ac77bcc15aa72268bbb2ec8322f964a11d70f0ecfaaa4ecc10d13a2df743329982bd88fdb8f7f785a50dad33d112e27e372b815
-
C:\Users\Admin\AppData\Local\Temp\plugin\FILE.DLLFilesize
40KB
MD51b12290100f56cf13ac7bd631adebe7d
SHA1d996c99e4ccb91876e9da397ec547aebb83c0c94
SHA256c9515d3d0e549e978fdd8ae762bd7b73f1ec1dd49c058ad9cd4537902db87670
SHA512cd0e417f7ef5d1749f78bded6ac77bcc15aa72268bbb2ec8322f964a11d70f0ecfaaa4ecc10d13a2df743329982bd88fdb8f7f785a50dad33d112e27e372b815
-
C:\Users\Admin\AppData\Local\Temp\plugin\FILE.DLLFilesize
40KB
MD51b12290100f56cf13ac7bd631adebe7d
SHA1d996c99e4ccb91876e9da397ec547aebb83c0c94
SHA256c9515d3d0e549e978fdd8ae762bd7b73f1ec1dd49c058ad9cd4537902db87670
SHA512cd0e417f7ef5d1749f78bded6ac77bcc15aa72268bbb2ec8322f964a11d70f0ecfaaa4ecc10d13a2df743329982bd88fdb8f7f785a50dad33d112e27e372b815
-
C:\Users\Admin\AppData\Local\Temp\plugin\FILE.iniFilesize
2KB
MD5e04472109d3e00286933cc1675760427
SHA1c0c2ed2fda1884b5d00c6d292589a3920907eaa3
SHA25606e641716fe6ffb936655579a63aca7d16dfc8f24f9ba8498a53c0359dc158a5
SHA512bf42775f9de3653e583838d8dec718bc8c993a350593e0146159da6869d2edc67d0266d6f7dea8eb3cfa3c8fa8e8ebdf5454144f0a347646df3fa6cf3802fc87
-
C:\Users\Admin\AppData\Local\Temp\plugin\MOMOPLUGIN.DLLFilesize
29KB
MD5e9d029ad7a51e4ae2dca64f85d5a9e62
SHA1cc35d47110810f6334f225e77dacc14403042929
SHA256e6aebe34f3f7949f6ac147c151859a73db67c76688bb95f566e77ab5e446b2b8
SHA512ad6c845dbb1b2e6ba5eb3e4017e0b1a66d9ef328bc9d3447c9c0af0d8fe06a2024a785355f8c675923d9b7f1a968e5abd484ee4a5f60dc2f6bf90e93b3227efc
-
C:\Users\Admin\AppData\Local\Temp\plugin\MOMOPLUGIN.DLLFilesize
29KB
MD5e9d029ad7a51e4ae2dca64f85d5a9e62
SHA1cc35d47110810f6334f225e77dacc14403042929
SHA256e6aebe34f3f7949f6ac147c151859a73db67c76688bb95f566e77ab5e446b2b8
SHA512ad6c845dbb1b2e6ba5eb3e4017e0b1a66d9ef328bc9d3447c9c0af0d8fe06a2024a785355f8c675923d9b7f1a968e5abd484ee4a5f60dc2f6bf90e93b3227efc
-
C:\Users\Admin\AppData\Local\Temp\plugin\MOMOPLUGIN.iniFilesize
1KB
MD53da1d7d7ceca89caf01bc15e59e6fa18
SHA1d90910132ff65e5f04704379cced9330ced96a3c
SHA256123d1335c04d71ea5495eb118c686eb6581542baca4f5dc8e11e182bb11ef1d0
SHA51277da8a9ba735bb1ef3c3af3c03894bc29a051ff4f821a6c089b79d76dd9352d5fb1066c57600a6b1b76019473fab5b8f3070af137c4ec2880d13fb7f72bf8de4
-
C:\Users\Admin\AppData\Local\Temp\plugin\SYS.DLLFilesize
32KB
MD518c393dfa1c0f3d2da0f4acdec5d7639
SHA184f666216085f177bccb8fa94900ba625f7552bc
SHA2563c3599cf74407476a92ce4ee66ed3ce00d0b3ea5326f796c191e6ed0a9a87b3a
SHA512ba61370b69b239754ff8f4e07f456755422667340c9a27bf2ace272b0e90a0818da595b973e90cd9ca4fc502028caef078e16bc7c87b2a6a8fa465141f54b3b4
-
C:\Users\Admin\AppData\Local\Temp\plugin\SYS.DLLFilesize
32KB
MD518c393dfa1c0f3d2da0f4acdec5d7639
SHA184f666216085f177bccb8fa94900ba625f7552bc
SHA2563c3599cf74407476a92ce4ee66ed3ce00d0b3ea5326f796c191e6ed0a9a87b3a
SHA512ba61370b69b239754ff8f4e07f456755422667340c9a27bf2ace272b0e90a0818da595b973e90cd9ca4fc502028caef078e16bc7c87b2a6a8fa465141f54b3b4
-
C:\Users\Admin\AppData\Local\Temp\plugin\SYS.DLLFilesize
32KB
MD518c393dfa1c0f3d2da0f4acdec5d7639
SHA184f666216085f177bccb8fa94900ba625f7552bc
SHA2563c3599cf74407476a92ce4ee66ed3ce00d0b3ea5326f796c191e6ed0a9a87b3a
SHA512ba61370b69b239754ff8f4e07f456755422667340c9a27bf2ace272b0e90a0818da595b973e90cd9ca4fc502028caef078e16bc7c87b2a6a8fa465141f54b3b4
-
C:\Users\Admin\AppData\Local\Temp\plugin\SYS.iniFilesize
1KB
MD509c6b26d1e0ff380321f586473d81098
SHA1261ba0c9c3ddf3c9e8715ead3628212d2859bcba
SHA256bc8eaa229e13a93be3bef498443182eb5d97551fbc5fcb1208d014b56161588f
SHA5127700e2ab0c38f7b1a3190843f603b572f7952e4a3567855fbaf2f1085f7e5b4fcdaa97e9195a43299594a5c3b31d15232cb66d9c59a4231cc83487663ded832c
-
C:\Users\Admin\AppData\Local\Temp\plugin\WINDOW.DLLFilesize
44KB
MD54c462a5ff18e333b767ea44c318c05c2
SHA1eb0f1bcd62382d4320532b330abf5cbdddd4a409
SHA256efda60b95d43a51e54cf9f44278f36d1717e21c78686fa2157395b5635951b41
SHA51211a8b2ee9e2b8431ddb81bbc3fa3bb596f9e2e11360f99b649017332c3b93eaa2efe105a2045285822e6d62663dec68b1c0d2a8a863f03fcec40cf04172d7139
-
C:\Users\Admin\AppData\Local\Temp\plugin\WINDOW.DLLFilesize
44KB
MD54c462a5ff18e333b767ea44c318c05c2
SHA1eb0f1bcd62382d4320532b330abf5cbdddd4a409
SHA256efda60b95d43a51e54cf9f44278f36d1717e21c78686fa2157395b5635951b41
SHA51211a8b2ee9e2b8431ddb81bbc3fa3bb596f9e2e11360f99b649017332c3b93eaa2efe105a2045285822e6d62663dec68b1c0d2a8a863f03fcec40cf04172d7139
-
C:\Users\Admin\AppData\Local\Temp\plugin\WINDOW.DLLFilesize
44KB
MD54c462a5ff18e333b767ea44c318c05c2
SHA1eb0f1bcd62382d4320532b330abf5cbdddd4a409
SHA256efda60b95d43a51e54cf9f44278f36d1717e21c78686fa2157395b5635951b41
SHA51211a8b2ee9e2b8431ddb81bbc3fa3bb596f9e2e11360f99b649017332c3b93eaa2efe105a2045285822e6d62663dec68b1c0d2a8a863f03fcec40cf04172d7139
-
C:\Users\Admin\AppData\Local\Temp\plugin\WINDOW.iniFilesize
3KB
MD524e047e8ec1ad7ac870b3a87db780d4d
SHA133002567dfe47e48a2f2389cd4c568993f4f2e82
SHA2567f3dab45c54a0d1b0383de9dec0a90cfb648d8327aa39c5ce50997d830ffb147
SHA5124a0152572fbfc54b237822abb2fe80545f76501a6319f7e984a2f53184c8cc070679826aafbdd9835b0b5a6bf012e0443ac29639f07db769fc5d0373e927d1a7
-
C:\Users\Admin\AppData\Local\Temp\plugin\WINDOW.iniFilesize
3KB
MD524e047e8ec1ad7ac870b3a87db780d4d
SHA133002567dfe47e48a2f2389cd4c568993f4f2e82
SHA2567f3dab45c54a0d1b0383de9dec0a90cfb648d8327aa39c5ce50997d830ffb147
SHA5124a0152572fbfc54b237822abb2fe80545f76501a6319f7e984a2f53184c8cc070679826aafbdd9835b0b5a6bf012e0443ac29639f07db769fc5d0373e927d1a7
-
C:\Users\Admin\AppData\Roaming\mymacro\qdisp.dllFilesize
43KB
MD57171bc500507f070355c8903e0ea6d3d
SHA1073d479fdbd1f2af5d494e90b950098be63dee75
SHA2563e02f67604dcc1f9e2f107e3dc04f9dcdc59431b2a9323838b61c427c63b997c
SHA512a8162de29e73f7a198ab7b592c393c8b39e42d5f6649efeca300a90dd7c70178fca1cfcd1f721588dcff296d5245f9ebfa289c6525c7e8621c8eef3e77787622
-
C:\Users\Admin\AppData\Roaming\mymacro\qdisp.dllFilesize
43KB
MD57171bc500507f070355c8903e0ea6d3d
SHA1073d479fdbd1f2af5d494e90b950098be63dee75
SHA2563e02f67604dcc1f9e2f107e3dc04f9dcdc59431b2a9323838b61c427c63b997c
SHA512a8162de29e73f7a198ab7b592c393c8b39e42d5f6649efeca300a90dd7c70178fca1cfcd1f721588dcff296d5245f9ebfa289c6525c7e8621c8eef3e77787622
-
C:\Users\Admin\AppData\Roaming\mymacro\qdisp.dllFilesize
43KB
MD57171bc500507f070355c8903e0ea6d3d
SHA1073d479fdbd1f2af5d494e90b950098be63dee75
SHA2563e02f67604dcc1f9e2f107e3dc04f9dcdc59431b2a9323838b61c427c63b997c
SHA512a8162de29e73f7a198ab7b592c393c8b39e42d5f6649efeca300a90dd7c70178fca1cfcd1f721588dcff296d5245f9ebfa289c6525c7e8621c8eef3e77787622
-
memory/1328-571-0x0000000000400000-0x0000000000936000-memory.dmpFilesize
5.2MB
-
memory/1328-574-0x0000000000400000-0x0000000000936000-memory.dmpFilesize
5.2MB
-
memory/1328-430-0x0000000011000000-0x000000001101D000-memory.dmpFilesize
116KB
-
memory/1328-177-0x00000000065B0000-0x00000000065BF000-memory.dmpFilesize
60KB
-
memory/1328-133-0x0000000000400000-0x0000000000936000-memory.dmpFilesize
5.2MB
-
memory/1328-651-0x0000000000400000-0x0000000000936000-memory.dmpFilesize
5.2MB