d859c398ada31fc9f8074a9c0f6e643ae245e8b308a2354fb5c255071419c84a

Analysis

max time kernel
62s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12-06-2023 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SetupExitLag_v4280.exe
Size

20.1MB
MD5

5e4719ff0cd88d215b84ac5f792edb45
SHA1

e2480e255ddc6c0b2dfe80ef3366f2be8055101c
SHA256

d859c398ada31fc9f8074a9c0f6e643ae245e8b308a2354fb5c255071419c84a
SHA512

a298fafb18ccfc31b06cbf925000f79bb38e6622860d53e8efe80bbbab77096c932f1bc8e023dcee68b8b1975941759a56bfd785e67924cdc2aff4f104b856f9
SSDEEP

393216:C3xp6mAFEboRD2+ofJIUZa/Gtzdip6I1UAh7UI1btx5tSzz:C3xcm2S8DxoN8/GtRiMmoI1hrGz

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETAD12.tmp	snetcfg.exe
File created	C:\Windows\system32\DRIVERS\SETAD12.tmp	snetcfg.exe
File opened for modification	C:\Windows\system32\DRIVERS\ndextlag.sys	snetcfg.exe
File created	C:\Windows\system32\drivers\nfextlag.sys	SetupExitLag_v4280.tmp

Executes dropped EXE 4 IoCs

pid	Process
900	SetupExitLag_v4280.tmp
1852	DriverCacheCleaner.exe
884	snetcfg.exe
1656	nfregdrv.exe

Loads dropped DLL 10 IoCs

pid	Process
336	SetupExitLag_v4280.exe
900	SetupExitLag_v4280.tmp
900	SetupExitLag_v4280.tmp
900	SetupExitLag_v4280.tmp
808	Process not Found
1200	Process not Found
1200	Process not Found
900	SetupExitLag_v4280.tmp
900	SetupExitLag_v4280.tmp
1656	nfregdrv.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{34e15bf9-2f2b-7d13-113d-dc0904271d14}\ndextlag.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{34e15bf9-2f2b-7d13-113d-dc0904271d14}\SET4B17.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndextlag_lwf.inf_amd64_neutral_17444b81168ee7c2\ndextlag_lwf.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{34e15bf9-2f2b-7d13-113d-dc0904271d14}	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	snetcfg.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{34e15bf9-2f2b-7d13-113d-dc0904271d14}\SET4B15.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{34e15bf9-2f2b-7d13-113d-dc0904271d14}\SET4B17.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{34e15bf9-2f2b-7d13-113d-dc0904271d14}\ndextlag.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ndextlag_lwf.inf_amd64_neutral_17444b81168ee7c2\ndextlag_lwf.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{34e15bf9-2f2b-7d13-113d-dc0904271d14}\SET4B16.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{34e15bf9-2f2b-7d13-113d-dc0904271d14}\SET4B15.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{34e15bf9-2f2b-7d13-113d-dc0904271d14}\ndextlag_lwf.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{34e15bf9-2f2b-7d13-113d-dc0904271d14}\SET4B16.tmp	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ExitLag\api-ms-win-core-memory-l1-1-0.dll	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\imageformats\qtiff.dll	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-PE7LV.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\sqldrivers\is-7P0V2.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-6IF99.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-KVFE5.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-SHOCF.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-EVRFQ.tmp	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\libssl-1_1.dll	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\api-ms-win-crt-heap-l1-1-0.dll	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\api-ms-win-core-processthreads-l1-1-1.dll	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\api-ms-win-core-util-l1-1-0.dll	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\translations\is-0LUQT.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-TML4E.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-1SD6J.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-UUKO0.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-A0M1M.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-K8BKJ.tmp	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\libGLESv2.dll	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\translations\is-NS735.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-V7QSV.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-VMNFK.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-UPH98.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-I1H73.tmp	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\api-ms-win-core-profile-l1-1-0.dll	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\nfregdrv.exe	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\nfapi.dll	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\api-ms-win-core-heap-l1-1-0.dll	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\sqldrivers\qsqlpsql.dll	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\translations\is-IK7CN.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-1UCHM.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-QT9DF.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-R683B.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-OOVB8.tmp	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\imageformats\qjpeg.dll	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\exitlag.dll	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-OKGVU.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-ANIAA.tmp	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\api-ms-win-core-interlocked-l1-1-0.dll	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\Qt5Qml.dll	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\sqldrivers\is-23KH6.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-J35VV.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-NPCT6.tmp	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\api-ms-win-core-processthreads-l1-1-0.dll	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\zlib1.dll	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\imageformats\qtga.dll	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\translations\is-3CMBM.tmp	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\imageformats\qsvg.dll	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\D3Dcompiler_47.dll	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\api-ms-win-core-datetime-l1-1-0.dll	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\imageformats\is-I04AM.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-21EBD.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-A940M.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-SGRVT.tmp	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\api-ms-win-crt-string-l1-1-0.dll	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\Qt5Widgets.dll	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\api-ms-win-core-handle-l1-1-0.dll	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\imageformats\is-AKC9U.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\platforms\is-36378.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\translations\is-LT9PI.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-95BRT.tmp	SetupExitLag_v4280.tmp
File created	C:\Program Files (x86)\ExitLag\is-7CHTV.tmp	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\api-ms-win-crt-private-l1-1-0.dll	SetupExitLag_v4280.tmp
File opened for modification	C:\Program Files (x86)\ExitLag\api-ms-win-crt-time-l1-1-0.dll	SetupExitLag_v4280.tmp

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\INF\oem2.PNF	snetcfg.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	snetcfg.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	snetcfg.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
900	SetupExitLag_v4280.tmp
900	SetupExitLag_v4280.tmp

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
460	Process not Found
460	Process not Found

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeRestorePrivilege	884	snetcfg.exe
Token: SeRestorePrivilege	884	snetcfg.exe
Token: SeRestorePrivilege	884	snetcfg.exe
Token: SeRestorePrivilege	884	snetcfg.exe
Token: SeRestorePrivilege	884	snetcfg.exe
Token: SeRestorePrivilege	884	snetcfg.exe
Token: SeRestorePrivilege	884	snetcfg.exe
Token: SeRestorePrivilege	884	snetcfg.exe
Token: SeRestorePrivilege	884	snetcfg.exe
Token: SeRestorePrivilege	884	snetcfg.exe
Token: SeRestorePrivilege	884	snetcfg.exe
Token: SeRestorePrivilege	884	snetcfg.exe
Token: SeRestorePrivilege	884	snetcfg.exe
Token: SeRestorePrivilege	884	snetcfg.exe
Token: SeRestorePrivilege	1748	DrvInst.exe
Token: SeRestorePrivilege	1748	DrvInst.exe
Token: SeRestorePrivilege	1748	DrvInst.exe
Token: SeRestorePrivilege	1748	DrvInst.exe
Token: SeRestorePrivilege	1748	DrvInst.exe
Token: SeRestorePrivilege	1748	DrvInst.exe
Token: SeRestorePrivilege	1748	DrvInst.exe
Token: SeRestorePrivilege	1748	DrvInst.exe
Token: SeRestorePrivilege	1748	DrvInst.exe
Token: SeRestorePrivilege	1748	DrvInst.exe
Token: SeRestorePrivilege	1748	DrvInst.exe
Token: SeRestorePrivilege	1748	DrvInst.exe
Token: SeRestorePrivilege	1748	DrvInst.exe
Token: SeRestorePrivilege	1748	DrvInst.exe
Token: SeRestorePrivilege	952	rundll32.exe
Token: SeRestorePrivilege	952	rundll32.exe
Token: SeRestorePrivilege	952	rundll32.exe
Token: SeRestorePrivilege	952	rundll32.exe
Token: SeRestorePrivilege	952	rundll32.exe
Token: SeRestorePrivilege	952	rundll32.exe
Token: SeRestorePrivilege	952	rundll32.exe
Token: SeBackupPrivilege	1516	vssvc.exe
Token: SeRestorePrivilege	1516	vssvc.exe
Token: SeAuditPrivilege	1516	vssvc.exe
Token: SeBackupPrivilege	1748	DrvInst.exe
Token: SeRestorePrivilege	1748	DrvInst.exe
Token: SeRestorePrivilege	1392	DrvInst.exe
Token: SeRestorePrivilege	1392	DrvInst.exe
Token: SeRestorePrivilege	1392	DrvInst.exe
Token: SeRestorePrivilege	1392	DrvInst.exe
Token: SeRestorePrivilege	1392	DrvInst.exe
Token: SeRestorePrivilege	1392	DrvInst.exe
Token: SeRestorePrivilege	1392	DrvInst.exe
Token: SeLoadDriverPrivilege	1392	DrvInst.exe
Token: SeLoadDriverPrivilege	1392	DrvInst.exe
Token: SeLoadDriverPrivilege	1392	DrvInst.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
900	SetupExitLag_v4280.tmp

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 900	336	SetupExitLag_v4280.exe	28
PID 336 wrote to memory of 900	336	SetupExitLag_v4280.exe	28
PID 336 wrote to memory of 900	336	SetupExitLag_v4280.exe	28
PID 336 wrote to memory of 900	336	SetupExitLag_v4280.exe	28
PID 336 wrote to memory of 900	336	SetupExitLag_v4280.exe	28
PID 336 wrote to memory of 900	336	SetupExitLag_v4280.exe	28
PID 336 wrote to memory of 900	336	SetupExitLag_v4280.exe	28
PID 900 wrote to memory of 1852	900	SetupExitLag_v4280.tmp	29
PID 900 wrote to memory of 1852	900	SetupExitLag_v4280.tmp	29
PID 900 wrote to memory of 1852	900	SetupExitLag_v4280.tmp	29
PID 900 wrote to memory of 1852	900	SetupExitLag_v4280.tmp	29
PID 900 wrote to memory of 884	900	SetupExitLag_v4280.tmp	31
PID 900 wrote to memory of 884	900	SetupExitLag_v4280.tmp	31
PID 900 wrote to memory of 884	900	SetupExitLag_v4280.tmp	31
PID 900 wrote to memory of 884	900	SetupExitLag_v4280.tmp	31
PID 1748 wrote to memory of 952	1748	DrvInst.exe	34
PID 1748 wrote to memory of 952	1748	DrvInst.exe	34
PID 1748 wrote to memory of 952	1748	DrvInst.exe	34
PID 900 wrote to memory of 1656	900	SetupExitLag_v4280.tmp	38
PID 900 wrote to memory of 1656	900	SetupExitLag_v4280.tmp	38
PID 900 wrote to memory of 1656	900	SetupExitLag_v4280.tmp	38
PID 900 wrote to memory of 1656	900	SetupExitLag_v4280.tmp	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SetupExitLag_v4280.exe
"C:\Users\Admin\AppData\Local\Temp\SetupExitLag_v4280.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:336
- C:\Users\Admin\AppData\Local\Temp\is-HEU90.tmp\SetupExitLag_v4280.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HEU90.tmp\SetupExitLag_v4280.tmp" /SL5="$70126,20176773,887296,C:\Users\Admin\AppData\Local\Temp\SetupExitLag_v4280.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\DriverCacheCleaner.exe
    "C:\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\DriverCacheCleaner.exe"
    3⤵
    - Executes dropped EXE
    PID:1852
- - C:\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\WinpkFilter\lwf\win7\amd64\snetcfg.exe
    "C:\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\WinpkFilter\lwf\win7\amd64\snetcfg.exe" -v -l ndextlag_lwf.inf -c s -i nt_ndextlag
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:884
- - C:\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\Nfsdk\nfregdrv.exe
    "C:\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\Nfsdk\nfregdrv.exe" nfextlag
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1656

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4850cee1-9b21-5e6a-77d9-450621b37d5e}\ndextlag_lwf.inf" "9" "6ca3dd23f" "00000000000004DC" "WinSta0\Default" "00000000000003F0" "208" "C:\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\WinpkFilter\lwf\win7\amd64"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{7254279b-70d6-4f88-a1e1-205a4836045b} Global\{0bf4a292-b490-4e83-96c2-ef76d608f779} C:\Windows\System32\DriverStore\Temp\{34e15bf9-2f2b-7d13-113d-dc0904271d14}\ndextlag_lwf.inf C:\Windows\System32\DriverStore\Temp\{34e15bf9-2f2b-7d13-113d-dc0904271d14}\ndextlag.cat
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D0" "00000000000005C8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ExitLag\unins000.exe

Filesize
3.1MB

MD5
b6f9e5adf6d8d0d6da89c7f0f445b787

SHA1
27cbb91a784dbe833d52fe815833ea1567882161

SHA256
71eeab0dc643e65fe5a1b6420e8efa4c953ff4204424a2f4ffe19b27432711a8

SHA512
e8d4f7edec05dfe7b37124143465b4bf096b168b62c90102ae58b6ee3c78204253cab0b64f4ced0b0c826b701f62c862082d2c32a3c30519857401877c2cdb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4E42.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarABEB.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HEU90.tmp\SetupExitLag_v4280.tmp

Filesize
3.1MB

MD5
b6f9e5adf6d8d0d6da89c7f0f445b787

SHA1
27cbb91a784dbe833d52fe815833ea1567882161

SHA256
71eeab0dc643e65fe5a1b6420e8efa4c953ff4204424a2f4ffe19b27432711a8

SHA512
e8d4f7edec05dfe7b37124143465b4bf096b168b62c90102ae58b6ee3c78204253cab0b64f4ced0b0c826b701f62c862082d2c32a3c30519857401877c2cdb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HEU90.tmp\SetupExitLag_v4280.tmp

Filesize
3.1MB

MD5
b6f9e5adf6d8d0d6da89c7f0f445b787

SHA1
27cbb91a784dbe833d52fe815833ea1567882161

SHA256
71eeab0dc643e65fe5a1b6420e8efa4c953ff4204424a2f4ffe19b27432711a8

SHA512
e8d4f7edec05dfe7b37124143465b4bf096b168b62c90102ae58b6ee3c78204253cab0b64f4ced0b0c826b701f62c862082d2c32a3c30519857401877c2cdb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\DriverCacheCleaner.exe

Filesize
200KB

MD5
399d13e1fc4e576dd90ec68726e228f4

SHA1
80c73ec274d68bee075f7e3088590af3e15376b6

SHA256
7552b9fcc1996092426349be7ba6c1f4b50f8340d92b542813a2fe61155b66a1

SHA512
cdc9addb8b21a3d55749a4dd2a42cd9c6df24e5b4f31337d259206a3f4077cd5efbccd91a549707e43533bbe5d433a03dbc95a43c63b12140955568050307c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\Nfsdk\nfapi.dll

Filesize
387KB

MD5
6201b8940ea6fde86144ea97d9b4f5a4

SHA1
8c33e76a7d0a5b3086891e9575d24633332e747e

SHA256
1f6191300bdbc066010ad860f67018876c820c717cd57ddd916efcc2f3bc3d94

SHA512
c37f978526488298a93d52e4a2c3a9a40e7240f3a0fd609c96024d118d19d5a7cbf4c73d0c1faf6363aead36edbbcbc7d6d19cf8245a479ee49f574df9a1ce09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\Nfsdk\nfregdrv.exe

Filesize
58KB

MD5
8f896e0d1edd42e21e2b61ba793d02bd

SHA1
326bf3e334c2fb071ccf054e87b7cec97a856594

SHA256
c9f004773e128f5bd16543d98545a48898c32b76d8e550d17f34ca44a5fce3f5

SHA512
42aa8cb7f23753f16d892b8eee2b073e46f8c60f4f44c9dccde5e291c12048fe9d6810d3d7b9dc9ad35a21009d081479e62316a0c591fab6af03df4f00951e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\Nfsdk\nfregdrv.exe

Filesize
58KB

MD5
8f896e0d1edd42e21e2b61ba793d02bd

SHA1
326bf3e334c2fb071ccf054e87b7cec97a856594

SHA256
c9f004773e128f5bd16543d98545a48898c32b76d8e550d17f34ca44a5fce3f5

SHA512
42aa8cb7f23753f16d892b8eee2b073e46f8c60f4f44c9dccde5e291c12048fe9d6810d3d7b9dc9ad35a21009d081479e62316a0c591fab6af03df4f00951e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\WINPKF~1\lwf\win7\amd64\ndextlag.sys

Filesize
48KB

MD5
f0b1cf0cc7871760ce300201b77d9694

SHA1
7a2be67a9b0be2704432fabbf54c48ca7cb6ade0

SHA256
acbcd7f4ee9dd59bade03cfa5fa22401c780fd762a84df8db64791de53868ba7

SHA512
e7b8bc6c9060558901880efc4245e030de4d117311c313c2f8456ec8b328ac590efae4e0c838250603f9d3f6624be84340bc3a3d3f7f8ad39f223b0bcec72bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\WinpkFilter\lwf\win7\amd64\ndextlag.cat

Filesize
14KB

MD5
0b727ab2f6edd5216ba331f755815f17

SHA1
facbdbe98bf760131a8131ffd4f16fa10dae9380

SHA256
b9ad4669382e2c81926c6664bf8b6318c927e054460fc27362f514491c80ad1c

SHA512
32e0248ff2f82641ef43dabc0dce50f57e3279e8f74f4225f4151777c773b9e27de747b71a3a108f1745d2305e34e6d0c985f62ff8a3397ea1f5d9a459665362

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\WinpkFilter\lwf\win7\amd64\ndextlag_lwf.inf

Filesize
2KB

MD5
f37e8cc0eabac5e065277ba82818bd44

SHA1
4b0d23da6f357406ed21187a99462fde36e36b40

SHA256
b75793dc1c6665778a2371e2c5ee57052d61a94ce6163103fb3867b710f9b12a

SHA512
c31a5c2c4bae9e07fbf4de18c94196c1f81969d4e46dd03a35db948fad2f287ae4528f051a3f1ab1639093076e983795ace8a19475d65cb049706bf8aa4c7467

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\WinpkFilter\lwf\win7\amd64\snetcfg.exe

Filesize
15KB

MD5
58266a610bbc7c7eb924c6918edea151

SHA1
d247099c5f3c9ad0b16f6ecbebcd8b1e54bcdd5f

SHA256
516c5643cf378bdbc28191db75f85aed6988f21fe176c6d198ec21e76540c944

SHA512
99bfe3856e27afe1c966342ec05fb4f59941207fb6c3235d95095cf340fd31f9fc8f9999585c512f2afa1c6cf57a9416d2b835dc121b5dd44001d465a26a216c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\WinpkFilter\lwf\win7\amd64\snetcfg.exe

Filesize
15KB

MD5
58266a610bbc7c7eb924c6918edea151

SHA1
d247099c5f3c9ad0b16f6ecbebcd8b1e54bcdd5f

SHA256
516c5643cf378bdbc28191db75f85aed6988f21fe176c6d198ec21e76540c944

SHA512
99bfe3856e27afe1c966342ec05fb4f59941207fb6c3235d95095cf340fd31f9fc8f9999585c512f2afa1c6cf57a9416d2b835dc121b5dd44001d465a26a216c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\WinpkFilter\lwf\win7\i386\ndextlag_lwf.inf

Filesize
2KB

MD5
f37e8cc0eabac5e065277ba82818bd44

SHA1
4b0d23da6f357406ed21187a99462fde36e36b40

SHA256
b75793dc1c6665778a2371e2c5ee57052d61a94ce6163103fb3867b710f9b12a

SHA512
c31a5c2c4bae9e07fbf4de18c94196c1f81969d4e46dd03a35db948fad2f287ae4528f051a3f1ab1639093076e983795ace8a19475d65cb049706bf8aa4c7467

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\is-2RHRU.tmp

Filesize
200KB

MD5
399d13e1fc4e576dd90ec68726e228f4

SHA1
80c73ec274d68bee075f7e3088590af3e15376b6

SHA256
7552b9fcc1996092426349be7ba6c1f4b50f8340d92b542813a2fe61155b66a1

SHA512
cdc9addb8b21a3d55749a4dd2a42cd9c6df24e5b4f31337d259206a3f4077cd5efbccd91a549707e43533bbe5d433a03dbc95a43c63b12140955568050307c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4850C~1\ndextlag.sys

Filesize
48KB

MD5
f0b1cf0cc7871760ce300201b77d9694

SHA1
7a2be67a9b0be2704432fabbf54c48ca7cb6ade0

SHA256
acbcd7f4ee9dd59bade03cfa5fa22401c780fd762a84df8db64791de53868ba7

SHA512
e7b8bc6c9060558901880efc4245e030de4d117311c313c2f8456ec8b328ac590efae4e0c838250603f9d3f6624be84340bc3a3d3f7f8ad39f223b0bcec72bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4850cee1-9b21-5e6a-77d9-450621b37d5e}\ndextlag.cat

Filesize
14KB

MD5
0b727ab2f6edd5216ba331f755815f17

SHA1
facbdbe98bf760131a8131ffd4f16fa10dae9380

SHA256
b9ad4669382e2c81926c6664bf8b6318c927e054460fc27362f514491c80ad1c

SHA512
32e0248ff2f82641ef43dabc0dce50f57e3279e8f74f4225f4151777c773b9e27de747b71a3a108f1745d2305e34e6d0c985f62ff8a3397ea1f5d9a459665362

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4850cee1-9b21-5e6a-77d9-450621b37d5e}\ndextlag_lwf.inf

Filesize
2KB

MD5
f37e8cc0eabac5e065277ba82818bd44

SHA1
4b0d23da6f357406ed21187a99462fde36e36b40

SHA256
b75793dc1c6665778a2371e2c5ee57052d61a94ce6163103fb3867b710f9b12a

SHA512
c31a5c2c4bae9e07fbf4de18c94196c1f81969d4e46dd03a35db948fad2f287ae4528f051a3f1ab1639093076e983795ace8a19475d65cb049706bf8aa4c7467

Download Submit
C:\Windows\INF\oem2.inf

Filesize
2KB

MD5
f37e8cc0eabac5e065277ba82818bd44

SHA1
4b0d23da6f357406ed21187a99462fde36e36b40

SHA256
b75793dc1c6665778a2371e2c5ee57052d61a94ce6163103fb3867b710f9b12a

SHA512
c31a5c2c4bae9e07fbf4de18c94196c1f81969d4e46dd03a35db948fad2f287ae4528f051a3f1ab1639093076e983795ace8a19475d65cb049706bf8aa4c7467

Download Submit
C:\Windows\System32\DriverStore\FileRepository\ndextlag_lwf.inf_amd64_neutral_17444b81168ee7c2\ndextlag_lwf.PNF

Filesize
8KB

MD5
41eed4952d46e3c7e228b5d1e9b89f2a

SHA1
4846e9d2edcadfd74a226dad847e8506602995c3

SHA256
4aec81a96f05feda3325bbd1dc1beb6a5daf1b0fc3d87c0f7c796e50fb569a6c

SHA512
f8c2792c8ba1891be5931b3b20b84422ee8062991f5f6acd81b15e677031dba9d6acf70585dff0387b7c54c9d703455b9a8847d880f6115cb96bb17b43c7b151

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
565bc87a15b99a6e841da046b4cc8752

SHA1
3055c461fa63466a8bb846b9db392f6d4598ae7a

SHA256
0fac75520f78d197ecbabea7e77f7528ff749540ba4bf14bad4769503966e5df

SHA512
96f3d94917b42fd590fb4734368e8f40fc7088744b239d097085752aad6886eabaedf8bb2e71cf2555f8787a3536acc15ea89bf4d6c9792e35e3f188188e3a03

Download Submit
C:\Windows\System32\DriverStore\Temp\{34e15bf9-2f2b-7d13-113d-dc0904271d14}\SET4B16.tmp

Filesize
14KB

MD5
0b727ab2f6edd5216ba331f755815f17

SHA1
facbdbe98bf760131a8131ffd4f16fa10dae9380

SHA256
b9ad4669382e2c81926c6664bf8b6318c927e054460fc27362f514491c80ad1c

SHA512
32e0248ff2f82641ef43dabc0dce50f57e3279e8f74f4225f4151777c773b9e27de747b71a3a108f1745d2305e34e6d0c985f62ff8a3397ea1f5d9a459665362

Download Submit
C:\Windows\System32\DriverStore\Temp\{34e15bf9-2f2b-7d13-113d-dc0904271d14}\SET4B17.tmp

Filesize
48KB

MD5
f0b1cf0cc7871760ce300201b77d9694

SHA1
7a2be67a9b0be2704432fabbf54c48ca7cb6ade0

SHA256
acbcd7f4ee9dd59bade03cfa5fa22401c780fd762a84df8db64791de53868ba7

SHA512
e7b8bc6c9060558901880efc4245e030de4d117311c313c2f8456ec8b328ac590efae4e0c838250603f9d3f6624be84340bc3a3d3f7f8ad39f223b0bcec72bdf

Download Submit
C:\Windows\System32\DriverStore\Temp\{34e15bf9-2f2b-7d13-113d-dc0904271d14}\ndextlag.cat

Filesize
14KB

MD5
0b727ab2f6edd5216ba331f755815f17

SHA1
facbdbe98bf760131a8131ffd4f16fa10dae9380

SHA256
b9ad4669382e2c81926c6664bf8b6318c927e054460fc27362f514491c80ad1c

SHA512
32e0248ff2f82641ef43dabc0dce50f57e3279e8f74f4225f4151777c773b9e27de747b71a3a108f1745d2305e34e6d0c985f62ff8a3397ea1f5d9a459665362

Download Submit
C:\Windows\System32\DriverStore\Temp\{34e15bf9-2f2b-7d13-113d-dc0904271d14}\ndextlag_lwf.inf

Filesize
2KB

MD5
f37e8cc0eabac5e065277ba82818bd44

SHA1
4b0d23da6f357406ed21187a99462fde36e36b40

SHA256
b75793dc1c6665778a2371e2c5ee57052d61a94ce6163103fb3867b710f9b12a

SHA512
c31a5c2c4bae9e07fbf4de18c94196c1f81969d4e46dd03a35db948fad2f287ae4528f051a3f1ab1639093076e983795ace8a19475d65cb049706bf8aa4c7467

Download Submit
C:\Windows\Temp\Cab4B75.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar4B97.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\Users\Admin\AppData\Local\Temp\is-HEU90.tmp\SetupExitLag_v4280.tmp

Filesize
3.1MB

MD5
b6f9e5adf6d8d0d6da89c7f0f445b787

SHA1
27cbb91a784dbe833d52fe815833ea1567882161

SHA256
71eeab0dc643e65fe5a1b6420e8efa4c953ff4204424a2f4ffe19b27432711a8

SHA512
e8d4f7edec05dfe7b37124143465b4bf096b168b62c90102ae58b6ee3c78204253cab0b64f4ced0b0c826b701f62c862082d2c32a3c30519857401877c2cdb26

Download Submit
\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\DriverCacheCleaner.exe

Filesize
200KB

MD5
399d13e1fc4e576dd90ec68726e228f4

SHA1
80c73ec274d68bee075f7e3088590af3e15376b6

SHA256
7552b9fcc1996092426349be7ba6c1f4b50f8340d92b542813a2fe61155b66a1

SHA512
cdc9addb8b21a3d55749a4dd2a42cd9c6df24e5b4f31337d259206a3f4077cd5efbccd91a549707e43533bbe5d433a03dbc95a43c63b12140955568050307c6f

Download Submit
\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\Nfsdk\nfapi.dll

Filesize
387KB

MD5
6201b8940ea6fde86144ea97d9b4f5a4

SHA1
8c33e76a7d0a5b3086891e9575d24633332e747e

SHA256
1f6191300bdbc066010ad860f67018876c820c717cd57ddd916efcc2f3bc3d94

SHA512
c37f978526488298a93d52e4a2c3a9a40e7240f3a0fd609c96024d118d19d5a7cbf4c73d0c1faf6363aead36edbbcbc7d6d19cf8245a479ee49f574df9a1ce09

Download Submit
\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\Nfsdk\nfregdrv.exe

Filesize
58KB

MD5
8f896e0d1edd42e21e2b61ba793d02bd

SHA1
326bf3e334c2fb071ccf054e87b7cec97a856594

SHA256
c9f004773e128f5bd16543d98545a48898c32b76d8e550d17f34ca44a5fce3f5

SHA512
42aa8cb7f23753f16d892b8eee2b073e46f8c60f4f44c9dccde5e291c12048fe9d6810d3d7b9dc9ad35a21009d081479e62316a0c591fab6af03df4f00951e6d

Download Submit
\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\Nfsdk\nfregdrv.exe

Filesize
58KB

MD5
8f896e0d1edd42e21e2b61ba793d02bd

SHA1
326bf3e334c2fb071ccf054e87b7cec97a856594

SHA256
c9f004773e128f5bd16543d98545a48898c32b76d8e550d17f34ca44a5fce3f5

SHA512
42aa8cb7f23753f16d892b8eee2b073e46f8c60f4f44c9dccde5e291c12048fe9d6810d3d7b9dc9ad35a21009d081479e62316a0c591fab6af03df4f00951e6d

Download Submit
\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\WinpkFilter\lwf\win7\amd64\snetcfg.exe

Filesize
15KB

MD5
58266a610bbc7c7eb924c6918edea151

SHA1
d247099c5f3c9ad0b16f6ecbebcd8b1e54bcdd5f

SHA256
516c5643cf378bdbc28191db75f85aed6988f21fe176c6d198ec21e76540c944

SHA512
99bfe3856e27afe1c966342ec05fb4f59941207fb6c3235d95095cf340fd31f9fc8f9999585c512f2afa1c6cf57a9416d2b835dc121b5dd44001d465a26a216c

Download Submit
\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\WinpkFilter\lwf\win7\amd64\snetcfg.exe

Filesize
15KB

MD5
58266a610bbc7c7eb924c6918edea151

SHA1
d247099c5f3c9ad0b16f6ecbebcd8b1e54bcdd5f

SHA256
516c5643cf378bdbc28191db75f85aed6988f21fe176c6d198ec21e76540c944

SHA512
99bfe3856e27afe1c966342ec05fb4f59941207fb6c3235d95095cf340fd31f9fc8f9999585c512f2afa1c6cf57a9416d2b835dc121b5dd44001d465a26a216c

Download Submit
\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\WinpkFilter\lwf\win7\amd64\snetcfg.exe

Filesize
15KB

MD5
58266a610bbc7c7eb924c6918edea151

SHA1
d247099c5f3c9ad0b16f6ecbebcd8b1e54bcdd5f

SHA256
516c5643cf378bdbc28191db75f85aed6988f21fe176c6d198ec21e76540c944

SHA512
99bfe3856e27afe1c966342ec05fb4f59941207fb6c3235d95095cf340fd31f9fc8f9999585c512f2afa1c6cf57a9416d2b835dc121b5dd44001d465a26a216c

Download Submit
\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\WinpkFilter\lwf\win7\amd64\snetcfg.exe

Filesize
15KB

MD5
58266a610bbc7c7eb924c6918edea151

SHA1
d247099c5f3c9ad0b16f6ecbebcd8b1e54bcdd5f

SHA256
516c5643cf378bdbc28191db75f85aed6988f21fe176c6d198ec21e76540c944

SHA512
99bfe3856e27afe1c966342ec05fb4f59941207fb6c3235d95095cf340fd31f9fc8f9999585c512f2afa1c6cf57a9416d2b835dc121b5dd44001d465a26a216c

Download Submit
\Users\Admin\AppData\Local\Temp\is-LSALV.tmp\WinpkFilter\lwf\win7\amd64\snetcfg.exe

Filesize
15KB

MD5
58266a610bbc7c7eb924c6918edea151

SHA1
d247099c5f3c9ad0b16f6ecbebcd8b1e54bcdd5f

SHA256
516c5643cf378bdbc28191db75f85aed6988f21fe176c6d198ec21e76540c944

SHA512
99bfe3856e27afe1c966342ec05fb4f59941207fb6c3235d95095cf340fd31f9fc8f9999585c512f2afa1c6cf57a9416d2b835dc121b5dd44001d465a26a216c

Download Submit
memory/336-54-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/336-63-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/900-64-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/900-62-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/900-414-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/900-228-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/900-532-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/900-533-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/952-226-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download