Malware Analysis Report

2024-10-16 06:41

Sample ID 240618-majvyaygje
Target erdre gdps.7z
SHA256 de5512870659824110a206fb3f960bb8dd913c981fc0eb87cf2f49159436d78b
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

de5512870659824110a206fb3f960bb8dd913c981fc0eb87cf2f49159436d78b

Threat Level: Likely malicious

The file erdre gdps.7z was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 10:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 10:15

Reported

2024-06-18 10:17

Platform

win7-20240221-en

Max time kernel

80s

Max time network

82s

Command Line

"C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1092616193" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133529958832572000" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByDirection = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Rev = "0" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400300010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004000000001002000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000000410000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c00000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c0ffffffff00000080000000000000000000000000000000002e2e2e8a0000004b000000000000000000000000000000000000000c0000004b818181c0ffffffffffffffff0000008000000000000000000000000000000000b7b7b7b73838388e00000045000000000000004b0000008000000080818181c0ffffffffffffffffffffffff0000008000000000000000000f0f0f810000004242424242ecececf40b0b0b810000000e00000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002381818181646464a20000004200000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005c000000276c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000809d9d9dc10000005c0c0c0c0cecececf40000007a0c0c0c0cecececf40000007a00000080ffffffff808080ffffffffffffffffffffffffffffffffff00000080a4a4a4c50000005f0c0c0c0cecececf40000007a0f0f0f0fe8e8e8f10000007800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005f0000002a6c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002384848484646464a2000000420000004b00000080000000807e7e7ebfffffffffffffffffffffffff0000008000000000000000000f0f0f810000004245454545ecececf40a0a0a800000000e00000000000000000000000b0000004b7e7e7ebfffffffffffffffff0000008000000000000000000000000000000000c0c0c0c03636368d00000045000000000000000000000000000000000000000b0000004b7e7e7ebfffffffff0000008000000000000000000000000000000000272727880000004b0000000000000000000000000000000000000000000000000000000b0000004b7e7e7ebf0000004b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0000003f0000000b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000035696969690000007000000080000000800000008000000080000000800000008000000080000000800000004b0000000000000000000000000000000000000058b0b0b0b0000000adffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000008000000000000000000000000000000000000000a5ffffffff000000c0000000800000008000000080ffffffffffffffff00000080000000800000008000000080000000800000004b0000000000000000000000c0ffffffff7f7f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000800000000000000000000000c0ffffffff000000a60000004d0000004d0000004d0000004d0000004d0000004d0000004d0000004d0000004dffffffff000000800000000000000000000000c0ffffffff000000a60000004d0000004d0000004d0000004d0000004d0000004d0000004d0000004d0000004dffffffff000000800000000000000000000000c0ffffffff030303a80303034f0000004d0000004d0000004d0000004d0000004d0000004d0000004d0000004dffffffff000000800000000000000000000000e07f7f7fff030303d6101010580f0f0f580a0a0a54030303500000004d0000004d0000004d0000004d0000004dffffffff000000800000004b00000080000000c07f7f7fff0e0e0eb00e0e0eb0141414901c1c1c611c1c1c611717175d0c0c0c550202024e0000004d0000004dffffffff0000008000000080ffffffffffffffffffffffffffffffffffffffff141414b428282869282828692828286928282869262626681818185e08080853ffffffff0000008000000080ffffffff808080ff808080ff808080ffffffffff1f1f1fbc3e3e3e783e3e3e783e3e3e783e3e3e783e3e3e783e3e3e783e3e3e78ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff333333ca66666694666666946666669466666694666666946666669466666694ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff7f7f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff000000c000000080000000800000008000000080000000800000008000000080000000800000004b0000004b0000008000000080ffffffff00000080000000800000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004b000000800000004b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8ff0000f0ff0000e0f30000c0f1000000c0000000c000000000000000000000000000000000000000c0000000c00000c0f10000e0f30000f0ff0000f8ff0000c0030000c0030000c0000000c0000000c0000000c0000000c0000000c000000000000000000000000000000000000000000000000000000001ff0000c7ff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\LogicalViewMode = "2" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\IconSize = "48" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:PID = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Mode = "6" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\LastAdvertisement = "133631812117194000" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupView = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010003000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000eac000000000000002000000e80706004100720067006a0062006500780020002000330020005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000080cc00ac68c1da0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80706004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000040ab30ab68c1da0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1092616209" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C4637.tmp\erdre GDPS install.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C4637.tmp\erdre GDPS install.tmp N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe C:\Users\Admin\AppData\Local\Temp\is-C4637.tmp\erdre GDPS install.tmp
PID 2328 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe C:\Users\Admin\AppData\Local\Temp\is-C4637.tmp\erdre GDPS install.tmp
PID 2328 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe C:\Users\Admin\AppData\Local\Temp\is-C4637.tmp\erdre GDPS install.tmp
PID 2328 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe C:\Users\Admin\AppData\Local\Temp\is-C4637.tmp\erdre GDPS install.tmp
PID 2328 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe C:\Users\Admin\AppData\Local\Temp\is-C4637.tmp\erdre GDPS install.tmp
PID 2328 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe C:\Users\Admin\AppData\Local\Temp\is-C4637.tmp\erdre GDPS install.tmp
PID 2328 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe C:\Users\Admin\AppData\Local\Temp\is-C4637.tmp\erdre GDPS install.tmp
PID 2096 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\is-C4637.tmp\erdre GDPS install.tmp C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe
PID 2096 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\is-C4637.tmp\erdre GDPS install.tmp C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe
PID 2096 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\is-C4637.tmp\erdre GDPS install.tmp C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe
PID 2096 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\is-C4637.tmp\erdre GDPS install.tmp C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe
PID 304 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe C:\Windows\system32\cmd.exe
PID 304 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe C:\Windows\system32\cmd.exe
PID 304 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe C:\Windows\system32\cmd.exe
PID 304 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2940 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2940 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2940 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2940 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2940 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2940 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 2940 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 2940 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 2940 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 2940 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 2940 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 2940 wrote to memory of 892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2940 wrote to memory of 892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2940 wrote to memory of 892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2940 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 2940 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 2940 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 2940 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 2940 wrote to memory of 1060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe

"C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"

C:\Users\Admin\AppData\Local\Temp\is-C4637.tmp\erdre GDPS install.tmp

"C:\Users\Admin\AppData\Local\Temp\is-C4637.tmp\erdre GDPS install.tmp" /SL5="$5014E,775972,730112,C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"

C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe

"C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6B31.tmp\6B32.tmp\6B33.bat "C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe""

C:\Windows\system32\chcp.com

chcp 1251

C:\Windows\system32\taskkill.exe

Taskkill /f /im explorer.exe

C:\Windows\system32\shutdown.exe

shutdown /r

C:\Windows\explorer.exe

explorer

C:\Windows\system32\taskkill.exe

taskkill /f /IM explorer.exe

C:\Windows\system32\calc.exe

calc

C:\Windows\system32\calc.exe

calc

C:\Windows\system32\calc.exe

calc

C:\Windows\explorer.exe

explorer

C:\Windows\system32\calc.exe

calc

C:\Windows\system32\calc.exe

calc

C:\Windows\system32\calc.exe

calc

C:\Windows\system32\calc.exe

calc

C:\Windows\system32\calc.exe

calc

C:\Windows\system32\calc.exe

calc

C:\Windows\system32\calc.exe

calc

C:\Windows\system32\calc.exe

calc

C:\Windows\system32\mspaint.exe

mspaint

C:\Windows\explorer.exe

explorer

C:\Windows\explorer.exe

explorer

C:\Windows\explorer.exe

explorer

C:\Windows\explorer.exe

explorer

C:\Windows\explorer.exe

explorer

C:\Windows\explorer.exe

explorer

C:\Windows\explorer.exe

explorer

C:\Windows\explorer.exe

explorer

C:\Windows\explorer.exe

explorer

C:\Windows\explorer.exe

explorer

C:\Windows\explorer.exe

explorer

C:\Windows\explorer.exe

explorer

C:\Windows\explorer.exe

explorer

C:\Windows\explorer.exe

explorer

C:\Windows\explorer.exe

explorer

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\charmap.exe

charmap

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

memory/2328-0-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/2328-2-0x0000000000401000-0x00000000004A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-C4637.tmp\erdre GDPS install.tmp

MD5 fe9bea77f231fb8526ce2a8a2ccd58dc
SHA1 0c502b1e730e1274e90e08b35cb5f62430db3862
SHA256 0b91ffec7e9c97010e43860f019ce22f5378efda2b4d9761240290c907a92eb7
SHA512 c6cda66ce548c060ba89760edb6790133da38f41c9ab19563ffabd6debab463d71efa1041905acc950e415a2180e95eef63670b1ec81ccd35ea3aae01c3a3855

memory/2096-8-0x0000000000400000-0x00000000006F3000-memory.dmp

memory/2328-10-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/2096-11-0x0000000000400000-0x00000000006F3000-memory.dmp

\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe

MD5 1f2cec484d93617fa81ecff025ebd981
SHA1 2a0e9083aa48236edd47a140380b800dc56579c1
SHA256 2aac7fa52b946aaad1e84bf0175a7568d89472e88eda1dc725081288ba2271d8
SHA512 57c1b3aa98a0facad57e285d6552de42450df04d8c97a4cb4374bc05df80c9e63a5809a6f2c5735e77c470b2fde438d76b423326819b4c931bec6ea08501e562

\Users\Admin\AppData\Local\Programs\erdre GDPS\unins000.exe

MD5 957ee143a1196498e8de0a4543f7ef9e
SHA1 3703bd1c040890520c05ffdbd680bc37fd70f31f
SHA256 eb6b784e30f6cba45ef5c65514c3f5913c73b7bab80f45673cffa4851e27737a
SHA512 06c69fbac2215cfed585467f6e3d04baad1fff24dbe424fc51d4735d8bff85e4da110398043f10ecfd6db67b84114fe5959375cbf8bff6b003fb5943e0b4e866

memory/2096-34-0x0000000000400000-0x00000000006F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6B31.tmp\6B32.tmp\6B33.bat

MD5 d46f641fd04723e353e062eff5679ef6
SHA1 319637221e4edaf0d59836285d065e58542afbdb
SHA256 94c2dac57889d420b04efcc085787c1e82468c1d6a283545f6b73f8989dacb74
SHA512 9d166240aa9eb2c0197da3154914f86dd83a7188093a98f13adf8fce60d137bb77355f1f7e182a309fda14897ed76cab7e6beed2a1bc542e4729e38142dc734b

memory/2328-37-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/984-38-0x000007FEFAF10000-0x000007FEFAF5C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\erdre GDPS\erdresem`s GDPS.lnk

MD5 82726466fe676e6e7c8b8cdbdeef1705
SHA1 6f1124bb78ceebba9ab2a5d205f45bc7091a11c6
SHA256 844b41a09c3791f61b4e3b6fa7faf1f54127f76c96be48cc87d1567c64255ec7
SHA512 1798bcff83078bff4d22aaf42ff273005a2f1de70bea67d4c3bff7628deb0a50f3b11be6fa71f0ac2c78e1e4ec2bd7d65523a10c4a42c631731cfc0614c8b3c8

memory/1276-41-0x0000000006DD0000-0x0000000006DE0000-memory.dmp

memory/984-42-0x000007FEFAF10000-0x000007FEFAF5C000-memory.dmp