5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5

Analysis

max time kernel
111s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe
Size

13.5MB
MD5

82de2c037ea20081eb8c9d4af793370e
SHA1

315ccb188e31d380e6898b27c6cfe14c234cb2fa
SHA256

5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5
SHA512

5f4268f32917dd66bc825be314fa5775e450b90b8cda278e471350cc07649eafda38a22562d1dcf2063387393abc80332d2dcc645994045cac68d5679a495941
SSDEEP

393216:5RnaDbX91KXjBO7EFTejMe/r8GEtbF5bPt5M2CsveW:z8bN1m1O4FCMe/wHbPkcvp

Score

9^/10

discovery exploit persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\{886F72FB-795E-45AB-9818-042645A1D1DD}\Disk1\ISSetup.dll	acprotect
\Users\Admin\AppData\Local\Temp\{72CEC894-D946-40FF-8D7E-9FEFEBB13ED0}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\isrt.dll	acprotect
\Users\Admin\AppData\Local\Temp\{72CEC894-D946-40FF-8D7E-9FEFEBB13ED0}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\_IsRes.dll	acprotect

Executes dropped EXE 5 IoCs

Processes:

qpgarne.exeqpgaime.exeqpgame.exeqpstars.exeISBEW64.exe

pid process

1972 qpgarne.exe
868 qpgaime.exe
1928 qpgame.exe
1180 qpstars.exe
1472 ISBEW64.exe

pid	process
1972	qpgarne.exe
868	qpgaime.exe
1928	qpgame.exe
1180	qpstars.exe
1472	ISBEW64.exe

Possible privilege escalation attempt 12 IoCs

exploit

Processes:

takeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid	process
1264	takeown.exe
1084	takeown.exe
1280	takeown.exe
1724	icacls.exe
524	icacls.exe
556	takeown.exe
292	icacls.exe
760	icacls.exe
268	takeown.exe
2000	icacls.exe
820	takeown.exe
1536	icacls.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpgarne.exe	upx
\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpgarne.exe	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpgarne.exe	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpgarne.exe	upx
behavioral1/memory/1972-62-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/1972-71-0x0000000000400000-0x0000000000419000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\{886F72FB-795E-45AB-9818-042645A1D1DD}\Disk1\ISSetup.dll	upx
behavioral1/memory/1180-93-0x0000000010000000-0x0000000010197000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\{72CEC894-D946-40FF-8D7E-9FEFEBB13ED0}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\isrt.dll	upx
behavioral1/memory/1180-97-0x0000000003BF0000-0x0000000003C7E000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\{72CEC894-D946-40FF-8D7E-9FEFEBB13ED0}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\_IsRes.dll	upx
behavioral1/memory/1180-107-0x00000000040C0000-0x0000000004109000-memory.dmp	upx
behavioral1/memory/1180-158-0x0000000010000000-0x0000000010197000-memory.dmp	upx
behavioral1/memory/1180-159-0x0000000003BF0000-0x0000000003C7E000-memory.dmp	upx

Loads dropped DLL 14 IoCs

Processes:

5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exeqpgarne.exeqpstars.exe

pid	process
1992	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe
1992	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe
1972	qpgarne.exe
1972	qpgarne.exe
1972	qpgarne.exe
1972	qpgarne.exe
1992	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe
1180	qpstars.exe
1180	qpstars.exe
1180	qpstars.exe
1180	qpstars.exe
1180	qpstars.exe
1180	qpstars.exe
1180	qpstars.exe

Modifies file permissions 1 TTPs 12 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid	process
268	takeown.exe
820	takeown.exe
1536	icacls.exe
1264	takeown.exe
292	icacls.exe
1280	takeown.exe
1724	icacls.exe
524	icacls.exe
556	takeown.exe
2000	icacls.exe
1084	takeown.exe
760	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 21 IoCs

Processes:

qpgaime.exeqpgame.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\123BC7.tmp	qpgaime.exe
File opened for modification	C:\Windows\SysWOW64\123BC6.tmp	qpgame.exe
File opened for modification	C:\Windows\syswow64\123BC6.tmp	qpgame.exe
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	qpgame.exe
File opened for modification	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	qpgaime.exe
File opened for modification	C:\Windows\SysWOW64\1238EDA.tmp	qpgame.exe
File opened for modification	C:\Windows\SysWOW64\1239B3A.tmp	qpgame.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	qpgame.exe
File created	C:\Windows\SysWOW64\sxload.tmp	qpgame.exe
File opened for modification	C:\Windows\SysWOW64\12392D0.tmp	qpgaime.exe
File opened for modification	C:\Windows\syswow64\12392D0.tmp	qpgaime.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	qpgame.exe
File opened for modification	C:\Windows\syswow64\1239ED3.tmp	qpgaime.exe
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	qpgaime.exe
File opened for modification	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	qpgaime.exe
File opened for modification	C:\Windows\SysWOW64\1239ED3.tmp	qpgaime.exe
File opened for modification	C:\Windows\syswow64\123BC7.tmp	qpgaime.exe
File opened for modification	C:\Windows\syswow64\1238EDA.tmp	qpgame.exe
File opened for modification	C:\Windows\syswow64\1239B3A.tmp	qpgame.exe
File opened for modification	C:\Windows\SysWOW64\dllcache\midimap.dll	qpgaime.exe
File opened for modification	C:\Windows\SysWOW64\sxload.tmp	qpgaime.exe

Drops file in Program Files directory 2 IoCs

Processes:

qpgame.exeqpgaime.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxqp.tmp	qpgame.exe
File opened for modification	C:\Program Files (x86)\Common Files\sxqp.tmp	qpgaime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1344 taskkill.exe
896 taskkill.exe

pid	process
1344	taskkill.exe
896	taskkill.exe

Modifies registry class 24 IoCs

Processes:

qpstars.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\ = "ISENG64Lib"	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\FLAGS	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\0	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\0\win32\ = "C:\\ProgramData\\InstallShield\\ISEngine12.0\\IsBE.dll"	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\HELPDIR	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib\ = "{7B90789A-10ED-4F8A-B537-8AB74FED0023}"	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib\Version = "1.0"	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\FLAGS\ = "0"	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\HELPDIR\ = "C:\\ProgramData\\InstallShield\\ISEngine12.0"	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib\ = "{7B90789A-10ED-4F8A-B537-8AB74FED0023}"	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\0\win32	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ = "IISBEW64Utils"	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ = "IISBEW64Utils"	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib\Version = "1.0"	qpstars.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

qpgame.exeqpgaime.exe

pid process

1928 qpgame.exe
868 qpgaime.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

qpgame.exeqpgaime.exetakeown.exetakeown.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1928	qpgame.exe
Token: SeDebugPrivilege	868	qpgaime.exe
Token: SeTakeOwnershipPrivilege	1280	takeown.exe
Token: SeTakeOwnershipPrivilege	1084	takeown.exe
Token: SeDebugPrivilege	896	taskkill.exe
Token: SeDebugPrivilege	1344	taskkill.exe

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

qpgame.exeqpgaime.exe

pid	process
1928	qpgame.exe
868	qpgaime.exe
1928	qpgame.exe
868	qpgaime.exe
1928	qpgame.exe
868	qpgaime.exe
868	qpgaime.exe
1928	qpgame.exe
1928	qpgame.exe
868	qpgaime.exe
1928	qpgame.exe
1928	qpgame.exe
868	qpgaime.exe
1928	qpgame.exe
868	qpgaime.exe
868	qpgaime.exe
1928	qpgame.exe
868	qpgaime.exe
1928	qpgame.exe
868	qpgaime.exe
1928	qpgame.exe
1928	qpgame.exe
868	qpgaime.exe
868	qpgaime.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exeqpgarne.exeqpgaime.exeqpgame.execmd.execmd.execmd.execmd.exeqpstars.execmd.execmd.exe

description	pid	process	target process
PID 1992 wrote to memory of 1972	1992	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe	qpgarne.exe
PID 1992 wrote to memory of 1972	1992	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe	qpgarne.exe
PID 1992 wrote to memory of 1972	1992	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe	qpgarne.exe
PID 1992 wrote to memory of 1972	1992	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe	qpgarne.exe
PID 1972 wrote to memory of 868	1972	qpgarne.exe	qpgaime.exe
PID 1972 wrote to memory of 868	1972	qpgarne.exe	qpgaime.exe
PID 1972 wrote to memory of 868	1972	qpgarne.exe	qpgaime.exe
PID 1972 wrote to memory of 868	1972	qpgarne.exe	qpgaime.exe
PID 1972 wrote to memory of 1928	1972	qpgarne.exe	qpgame.exe
PID 1972 wrote to memory of 1928	1972	qpgarne.exe	qpgame.exe
PID 1972 wrote to memory of 1928	1972	qpgarne.exe	qpgame.exe
PID 1972 wrote to memory of 1928	1972	qpgarne.exe	qpgame.exe
PID 1992 wrote to memory of 1180	1992	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe	qpstars.exe
PID 1992 wrote to memory of 1180	1992	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe	qpstars.exe
PID 1992 wrote to memory of 1180	1992	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe	qpstars.exe
PID 1992 wrote to memory of 1180	1992	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe	qpstars.exe
PID 1992 wrote to memory of 1180	1992	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe	qpstars.exe
PID 1992 wrote to memory of 1180	1992	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe	qpstars.exe
PID 1992 wrote to memory of 1180	1992	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe	qpstars.exe
PID 868 wrote to memory of 384	868	qpgaime.exe	cmd.exe
PID 868 wrote to memory of 384	868	qpgaime.exe	cmd.exe
PID 868 wrote to memory of 384	868	qpgaime.exe	cmd.exe
PID 868 wrote to memory of 384	868	qpgaime.exe	cmd.exe
PID 1928 wrote to memory of 1828	1928	qpgame.exe	cmd.exe
PID 1928 wrote to memory of 1828	1928	qpgame.exe	cmd.exe
PID 1928 wrote to memory of 1828	1928	qpgame.exe	cmd.exe
PID 1928 wrote to memory of 1828	1928	qpgame.exe	cmd.exe
PID 1828 wrote to memory of 992	1828	cmd.exe	cmd.exe
PID 1828 wrote to memory of 992	1828	cmd.exe	cmd.exe
PID 1828 wrote to memory of 992	1828	cmd.exe	cmd.exe
PID 1828 wrote to memory of 992	1828	cmd.exe	cmd.exe
PID 384 wrote to memory of 1676	384	cmd.exe	cmd.exe
PID 384 wrote to memory of 1676	384	cmd.exe	cmd.exe
PID 384 wrote to memory of 1676	384	cmd.exe	cmd.exe
PID 384 wrote to memory of 1676	384	cmd.exe	cmd.exe
PID 992 wrote to memory of 1280	992	cmd.exe	takeown.exe
PID 992 wrote to memory of 1280	992	cmd.exe	takeown.exe
PID 992 wrote to memory of 1280	992	cmd.exe	takeown.exe
PID 992 wrote to memory of 1280	992	cmd.exe	takeown.exe
PID 1676 wrote to memory of 1084	1676	cmd.exe	takeown.exe
PID 1676 wrote to memory of 1084	1676	cmd.exe	takeown.exe
PID 1676 wrote to memory of 1084	1676	cmd.exe	takeown.exe
PID 1676 wrote to memory of 1084	1676	cmd.exe	takeown.exe
PID 1828 wrote to memory of 1724	1828	cmd.exe	icacls.exe
PID 1828 wrote to memory of 1724	1828	cmd.exe	icacls.exe
PID 1828 wrote to memory of 1724	1828	cmd.exe	icacls.exe
PID 1828 wrote to memory of 1724	1828	cmd.exe	icacls.exe
PID 384 wrote to memory of 760	384	cmd.exe	icacls.exe
PID 384 wrote to memory of 760	384	cmd.exe	icacls.exe
PID 384 wrote to memory of 760	384	cmd.exe	icacls.exe
PID 384 wrote to memory of 760	384	cmd.exe	icacls.exe
PID 1180 wrote to memory of 1472	1180	qpstars.exe	ISBEW64.exe
PID 1180 wrote to memory of 1472	1180	qpstars.exe	ISBEW64.exe
PID 1180 wrote to memory of 1472	1180	qpstars.exe	ISBEW64.exe
PID 1180 wrote to memory of 1472	1180	qpstars.exe	ISBEW64.exe
PID 1928 wrote to memory of 1328	1928	qpgame.exe	cmd.exe
PID 1928 wrote to memory of 1328	1928	qpgame.exe	cmd.exe
PID 1928 wrote to memory of 1328	1928	qpgame.exe	cmd.exe
PID 1928 wrote to memory of 1328	1928	qpgame.exe	cmd.exe
PID 1328 wrote to memory of 588	1328	cmd.exe	cmd.exe
PID 1328 wrote to memory of 588	1328	cmd.exe	cmd.exe
PID 1328 wrote to memory of 588	1328	cmd.exe	cmd.exe
PID 1328 wrote to memory of 588	1328	cmd.exe	cmd.exe
PID 588 wrote to memory of 268	588	cmd.exe	takeown.exe

C:\Users\Admin\AppData\Local\Temp\5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe
"C:\Users\Admin\AppData\Local\Temp\5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpgarne.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpgarne.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Roaming\qpgaime.exe
"C:\Users\Admin\AppData\Roaming\qpgaime.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
5⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:760

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
4⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
5⤵
PID:1976

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:556

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
4⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
5⤵
PID:1728

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1264

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:292

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "hall.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\SysWOW64\cmd.exe
cmd /c 1.bat
4⤵
PID:1044

C:\Users\Admin\AppData\Roaming\qpgame.exe
"C:\Users\Admin\AppData\Roaming\qpgame.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
5⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1724

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
5⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:268

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:524

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
4⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
5⤵
PID:992

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:820

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1536

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "hall.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\SysWOW64\cmd.exe
cmd /c 1.bat
4⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpstars.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpstars.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\{72CEC894-D946-40FF-8D7E-9FEFEBB13ED0}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{72CEC894-D946-40FF-8D7E-9FEFEBB13ED0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0DAD1615-694D-4EEB-8618-DB979A4FD339}
3⤵
- Executes dropped EXE
PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\sxqp.tmp

Filesize
55KB

MD5
58ee791c522b4ab2749e716644ff29c3

SHA1
be0c1af57af5284f42edfabf1847e6376ed3c67e

SHA256
76495990967fd184d0682dc7215f72f78c4cf8301734956bac224ef20d90c733

SHA512
67a6caed931fba857d5286116ee38cce53821cb1b30ee7b9f4cfd3ee2ee76e5266406314d394202cc9d7c1831d4b376bc9f8014c0957570cb3cdb06ed84a0ad0

Download Submit
C:\ProgramData\InstallShield\ISEngine12.0\IsBE.dll

Filesize
52KB

MD5
9cf7faee57a20bf15a2fc9b423ebc512

SHA1
12cbf4d0a941bd5a8f847754fdaf4841e7751cce

SHA256
d34f26d85bfb94a5f017fdaf58b94ecf9553919d2aa9a9955ff0a2e3d7c11e4a

SHA512
44c715be4a98b9ce99c6d926500be3e365f8a08a4d8c85ae9342dc9ce76de29544f14acbf42d69f7f9e40ebdf0c6faa8cb5d4b3fc9d523479b12cf0823678672

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.bat

Filesize
131B

MD5
0c0c8a705fba7de45e8053a933bb01ae

SHA1
5f928dfdcf43e543c31e29d00754c0b9e835a73f

SHA256
a3f9746c4494a3d803a745c36c5c041a6254cfca5be32eed085c906c5fa699e4

SHA512
58ef6da93802bf258edf63ae7f0de73e99997977dd45f9d79332e76266dd83c3b129a590a319e7a2f4876d383b47a2f501c6c70a0b656da173eb57eee8c2ab62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.bat

Filesize
129B

MD5
a8f751b269f784de2123d78f9553a29d

SHA1
05664f9dffcd5532365f56b4c7023033c0261618

SHA256
43d95e9520d4aa7777a5546b129b8fe2e643ea168af2a92e69f96dc6f365ca60

SHA512
0a54e19a5493097d04e6ed3a8cb7e3359bfc8ccecde2892cec792366ee28bd7962a7aad7dffd6d6e7abe54acbf6a2be59b7b5633e58e0046455d642e2856ebad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.bat

Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.bat

Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.bat

Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.bat

Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.bat

Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.bat

Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpgarne.exe

Filesize
97KB

MD5
374aeda833a2fdb958c0df8f457ae115

SHA1
cfeb839135b642a2f1b82e28e7f77e245777f85e

SHA256
6cbb0e564c277667eaccf1b19d679f274d5c75eecf87b3cc2ac4a07b795f078d

SHA512
055f3232ee3ef6ad65ff3fc09ea3b801ae48666d203b2fb79bdb8e7af1d047b8386fddba3237c11dfacc10a1eda07694e40cb67e2001f58390b15b7d9fc40ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpgarne.exe

Filesize
97KB

MD5
374aeda833a2fdb958c0df8f457ae115

SHA1
cfeb839135b642a2f1b82e28e7f77e245777f85e

SHA256
6cbb0e564c277667eaccf1b19d679f274d5c75eecf87b3cc2ac4a07b795f078d

SHA512
055f3232ee3ef6ad65ff3fc09ea3b801ae48666d203b2fb79bdb8e7af1d047b8386fddba3237c11dfacc10a1eda07694e40cb67e2001f58390b15b7d9fc40ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpstars.exe

Filesize
14.5MB

MD5
304ad8ada59cf485e15b9853a1194e92

SHA1
f654980a4931b2f4582ea248d95eaf002589ca6d

SHA256
cbc5afc6ea85869f3bdffcc5a7b3b03cb056601e698debd7a6d49939c0d14d49

SHA512
e7b6be2c86adf396b5a138d2f90aa99362dddd037f067e6396fafb8a7cb2ef3794d954c39df6f584b9578ead88f425034d99d1f6f6690341796734534aeebee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpstars.exe

Filesize
14.5MB

MD5
304ad8ada59cf485e15b9853a1194e92

SHA1
f654980a4931b2f4582ea248d95eaf002589ca6d

SHA256
cbc5afc6ea85869f3bdffcc5a7b3b03cb056601e698debd7a6d49939c0d14d49

SHA512
e7b6be2c86adf396b5a138d2f90aa99362dddd037f067e6396fafb8a7cb2ef3794d954c39df6f584b9578ead88f425034d99d1f6f6690341796734534aeebee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{72CEC894-D946-40FF-8D7E-9FEFEBB13ED0}\ISBEW64.exe

Filesize
68KB

MD5
4b56c021299344676f123fcb48f53c1e

SHA1
cbef3152c477c9176120030b164a4a807b527d8e

SHA256
0444971c7c19df0c4e5f8ad75c12ac277638470460eb7747122539960ed5e99f

SHA512
097bbc9f0140e9a14e494b6569e38b88ad390d6befa03e75a8c671e2e5fd93ee55ad50994733c957c32c85f2061d6f4d32b4b8257b3b44d5924ca10e940f779a

Download Submit
C:\Users\Admin\AppData\Roaming\qpgaime.exe

Filesize
28KB

MD5
1dffce8d118da3028da6a7f2c6015479

SHA1
627e5149dec1c88e5dad73775add734153e79a56

SHA256
f062ac7c16a5faae14d49c1fcd40f362690297edc629fb15c75fcccbd7f4ec83

SHA512
099475a6b3ff5121998ee9c4f3ef4b4622614409eb4d27d16228346750b667112b27b75141cc9461595925f259e6115f2c49b4840be0ad6799b134c1a1409d83

Download Submit
C:\Users\Admin\AppData\Roaming\qpgaime.exe

Filesize
28KB

MD5
1dffce8d118da3028da6a7f2c6015479

SHA1
627e5149dec1c88e5dad73775add734153e79a56

SHA256
f062ac7c16a5faae14d49c1fcd40f362690297edc629fb15c75fcccbd7f4ec83

SHA512
099475a6b3ff5121998ee9c4f3ef4b4622614409eb4d27d16228346750b667112b27b75141cc9461595925f259e6115f2c49b4840be0ad6799b134c1a1409d83

Download Submit
C:\Users\Admin\AppData\Roaming\qpgame.exe

Filesize
28KB

MD5
1dffce8d118da3028da6a7f2c6015479

SHA1
627e5149dec1c88e5dad73775add734153e79a56

SHA256
f062ac7c16a5faae14d49c1fcd40f362690297edc629fb15c75fcccbd7f4ec83

SHA512
099475a6b3ff5121998ee9c4f3ef4b4622614409eb4d27d16228346750b667112b27b75141cc9461595925f259e6115f2c49b4840be0ad6799b134c1a1409d83

Download Submit
C:\Users\Admin\AppData\Roaming\qpgame.exe

Filesize
28KB

MD5
1dffce8d118da3028da6a7f2c6015479

SHA1
627e5149dec1c88e5dad73775add734153e79a56

SHA256
f062ac7c16a5faae14d49c1fcd40f362690297edc629fb15c75fcccbd7f4ec83

SHA512
099475a6b3ff5121998ee9c4f3ef4b4622614409eb4d27d16228346750b667112b27b75141cc9461595925f259e6115f2c49b4840be0ad6799b134c1a1409d83

Download Submit
C:\Windows\SysWOW64\1238EDA.tmp

Filesize
11KB

MD5
cddf10bcfb67b5c85c26b592fe5d9e5f

SHA1
f5288a629ea2a4790fc99627e9faa1c66cfabb28

SHA256
f0190e3604ba8d576eb254fa9ee51c3bd0851012aed993e96519e7d9daadb623

SHA512
641a982840593bcaefcbe60a3a6f669017ec8737c04cbeffb827f116c9f59ebe62724c0a5a3cafd843e0630d701820ddf5b2af8bf8bbb9fab47bff8b9172b5f2

Download Submit
C:\Windows\SysWOW64\12392D0.tmp

Filesize
11KB

MD5
cddf10bcfb67b5c85c26b592fe5d9e5f

SHA1
f5288a629ea2a4790fc99627e9faa1c66cfabb28

SHA256
f0190e3604ba8d576eb254fa9ee51c3bd0851012aed993e96519e7d9daadb623

SHA512
641a982840593bcaefcbe60a3a6f669017ec8737c04cbeffb827f116c9f59ebe62724c0a5a3cafd843e0630d701820ddf5b2af8bf8bbb9fab47bff8b9172b5f2

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll

Filesize
101KB

MD5
a700ae6bd802b5a6b142884c281bf490

SHA1
b58bbcf2ca7372d03a36cc12f61a1550e4500700

SHA256
1d828f02d67ea939f85adce835027a039ee6d7ea810e7df692ff9f5e96dad40c

SHA512
6007d46d17d6f13a2ba4332d873e0e9f01c3bb7bddf92061d07cc406d132755fee55dd9df560e6394075e995ea8b80609b0956b8707da1726ff2fb7a3c410584

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll

Filesize
101KB

MD5
a700ae6bd802b5a6b142884c281bf490

SHA1
b58bbcf2ca7372d03a36cc12f61a1550e4500700

SHA256
1d828f02d67ea939f85adce835027a039ee6d7ea810e7df692ff9f5e96dad40c

SHA512
6007d46d17d6f13a2ba4332d873e0e9f01c3bb7bddf92061d07cc406d132755fee55dd9df560e6394075e995ea8b80609b0956b8707da1726ff2fb7a3c410584

Download Submit
C:\Windows\SysWOW64\dllcache\midimap.dll

Filesize
16KB

MD5
af84a83c3173f1f980ea5dff27fca101

SHA1
ad9c8de13e2682e33ba5e9df68c677ce746553bc

SHA256
75a3b0f8521e14d0e222cf7b61b5b8dc8f918b1c4dc414e735cc2baee9b7bada

SHA512
2d90d36857031f5295fddc1a2f4e5d85d119ec5a65f560990d59defeddafc63a9d3fb15adbbc5a01b0ec3b08f4d803677a71b64f55ad285edbd11e1e3bf1ba2d

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll

Filesize
11KB

MD5
cddf10bcfb67b5c85c26b592fe5d9e5f

SHA1
f5288a629ea2a4790fc99627e9faa1c66cfabb28

SHA256
f0190e3604ba8d576eb254fa9ee51c3bd0851012aed993e96519e7d9daadb623

SHA512
641a982840593bcaefcbe60a3a6f669017ec8737c04cbeffb827f116c9f59ebe62724c0a5a3cafd843e0630d701820ddf5b2af8bf8bbb9fab47bff8b9172b5f2

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll

Filesize
11KB

MD5
cddf10bcfb67b5c85c26b592fe5d9e5f

SHA1
f5288a629ea2a4790fc99627e9faa1c66cfabb28

SHA256
f0190e3604ba8d576eb254fa9ee51c3bd0851012aed993e96519e7d9daadb623

SHA512
641a982840593bcaefcbe60a3a6f669017ec8737c04cbeffb827f116c9f59ebe62724c0a5a3cafd843e0630d701820ddf5b2af8bf8bbb9fab47bff8b9172b5f2

Download Submit
C:\Windows\SysWOW64\iphlpapi.dll

Filesize
101KB

MD5
a700ae6bd802b5a6b142884c281bf490

SHA1
b58bbcf2ca7372d03a36cc12f61a1550e4500700

SHA256
1d828f02d67ea939f85adce835027a039ee6d7ea810e7df692ff9f5e96dad40c

SHA512
6007d46d17d6f13a2ba4332d873e0e9f01c3bb7bddf92061d07cc406d132755fee55dd9df560e6394075e995ea8b80609b0956b8707da1726ff2fb7a3c410584

Download Submit
C:\Windows\SysWOW64\sxload.tmp

Filesize
5KB

MD5
7e82aa06e5669b76006d3daac566835e

SHA1
1b541f0178a1628c372b770b236e461c76be0ae1

SHA256
b1542a8b5f6c5ca93cb515de16c11fd13e020d2c047b9a2f865ef0960c23a3cb

SHA512
940169084829f05587968954bebc0472f876eac8c86b4b7c60bb8421fe051ec1115f8b898d9e0f80f7a22d124759c1ec9edc3b0fba67f180e9612262693ad750

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpgarne.exe

Filesize
97KB

MD5
374aeda833a2fdb958c0df8f457ae115

SHA1
cfeb839135b642a2f1b82e28e7f77e245777f85e

SHA256
6cbb0e564c277667eaccf1b19d679f274d5c75eecf87b3cc2ac4a07b795f078d

SHA512
055f3232ee3ef6ad65ff3fc09ea3b801ae48666d203b2fb79bdb8e7af1d047b8386fddba3237c11dfacc10a1eda07694e40cb67e2001f58390b15b7d9fc40ffc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpgarne.exe

Filesize
97KB

MD5
374aeda833a2fdb958c0df8f457ae115

SHA1
cfeb839135b642a2f1b82e28e7f77e245777f85e

SHA256
6cbb0e564c277667eaccf1b19d679f274d5c75eecf87b3cc2ac4a07b795f078d

SHA512
055f3232ee3ef6ad65ff3fc09ea3b801ae48666d203b2fb79bdb8e7af1d047b8386fddba3237c11dfacc10a1eda07694e40cb67e2001f58390b15b7d9fc40ffc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpstars.exe

Filesize
14.5MB

MD5
304ad8ada59cf485e15b9853a1194e92

SHA1
f654980a4931b2f4582ea248d95eaf002589ca6d

SHA256
cbc5afc6ea85869f3bdffcc5a7b3b03cb056601e698debd7a6d49939c0d14d49

SHA512
e7b6be2c86adf396b5a138d2f90aa99362dddd037f067e6396fafb8a7cb2ef3794d954c39df6f584b9578ead88f425034d99d1f6f6690341796734534aeebee0

Download Submit
\Users\Admin\AppData\Local\Temp\{72CEC894-D946-40FF-8D7E-9FEFEBB13ED0}\ISBEW64.exe

Filesize
68KB

MD5
4b56c021299344676f123fcb48f53c1e

SHA1
cbef3152c477c9176120030b164a4a807b527d8e

SHA256
0444971c7c19df0c4e5f8ad75c12ac277638470460eb7747122539960ed5e99f

SHA512
097bbc9f0140e9a14e494b6569e38b88ad390d6befa03e75a8c671e2e5fd93ee55ad50994733c957c32c85f2061d6f4d32b4b8257b3b44d5924ca10e940f779a

Download Submit
\Users\Admin\AppData\Local\Temp\{72CEC894-D946-40FF-8D7E-9FEFEBB13ED0}\ISBEW64.exe

Filesize
68KB

MD5
4b56c021299344676f123fcb48f53c1e

SHA1
cbef3152c477c9176120030b164a4a807b527d8e

SHA256
0444971c7c19df0c4e5f8ad75c12ac277638470460eb7747122539960ed5e99f

SHA512
097bbc9f0140e9a14e494b6569e38b88ad390d6befa03e75a8c671e2e5fd93ee55ad50994733c957c32c85f2061d6f4d32b4b8257b3b44d5924ca10e940f779a

Download Submit
\Users\Admin\AppData\Local\Temp\{72CEC894-D946-40FF-8D7E-9FEFEBB13ED0}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\_ISUser.dll

Filesize
160KB

MD5
efa7734e44fb5ea4f7142069727fd7d4

SHA1
66117a2c5a6c5c2d9773cabb2d7f138344a6511b

SHA256
72bf7d6529cbd30b5d532c7792b7e1b048d60bb2d8b59d19a1afd5f8122318ed

SHA512
d054ce60e04d8e45bde23c34a16baa3320559c6fb2722b5a87997c2d5043d950a2764dbb0b649fe695886e66ee19638c3ae5fb31941fa54b9aa517521e20d38f

Download Submit
\Users\Admin\AppData\Local\Temp\{72CEC894-D946-40FF-8D7E-9FEFEBB13ED0}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\_IsRes.dll

Filesize
82KB

MD5
72927c6e0d47e9f9f99977834e95e30f

SHA1
3ce88569ec60b41ad2c9ceea9db88d7af16887ac

SHA256
ed4790f99f36678635aefc403e3ff89e7f2b116fbdf3add1bc7c3f4ff914b6fe

SHA512
793e0f9b9dda2cda72e43877156b85fcc8f0c436f6b12bc0fdd3cee66eee44d41f92ba3e82b1249866b9db84c8b93254080b05d948f25d25c3b94596707220a4

Download Submit
\Users\Admin\AppData\Local\Temp\{72CEC894-D946-40FF-8D7E-9FEFEBB13ED0}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\isrt.dll

Filesize
203KB

MD5
b35dde51d14f9400e73196693148734e

SHA1
9410c5268f5558e57d044780d0d5dcc7aa181299

SHA256
70fa7f0aa2feb397597b2785a4bfdb2c9cd36e0edb51f4f0dfe6ac086290ac86

SHA512
6bb24c8864078c923007c1818bb0a590ebe84e2fbe6f2642dc951b05c42da1c33861f150c4ea8943657259c1c309a69b8cb1817b6a207cb9e577bc3aa8bfa79d

Download Submit
\Users\Admin\AppData\Local\Temp\{886F72FB-795E-45AB-9818-042645A1D1DD}\Disk1\ISSetup.dll

Filesize
539KB

MD5
708814a62ba813cea1a94bb77d68195b

SHA1
39c99a215751832481dc9b2ac2d6dbb17435195d

SHA256
999c523b3e43f399966a49f3caeb2a7d8ccb39d5911dfe71fd15a6a0aa2b87fe

SHA512
426cd1a12e42212ff541b3bd9c239282d548596487929b17c657056958d71a77fce209c5daa606af4d0eb6c5f74779b6d332997d00e71f6ec80fd18407c57bd3

Download Submit
\Users\Admin\AppData\Local\Temp\{886F72FB-795E-45AB-9818-042645A1D1DD}\_Setup.dll

Filesize
376KB

MD5
2985a79020ec96afc2d1c8ab318b866f

SHA1
01e801eaa82ace4d521c651dadddacfb4fb278d9

SHA256
f9a007b9ec4a20fecfc004662028226e11ada038be69eab586c03a903c73fbad

SHA512
b496d72a942d3f95a062807fdd7c487d836e2c850ec5422967fbb5fe5bdb467806be24b09fa1ee035494e73ed9725e2fa441ec807d94423e873abef8eae94b55

Download Submit
\Users\Admin\AppData\Roaming\qpgaime.exe

Filesize
28KB

MD5
1dffce8d118da3028da6a7f2c6015479

SHA1
627e5149dec1c88e5dad73775add734153e79a56

SHA256
f062ac7c16a5faae14d49c1fcd40f362690297edc629fb15c75fcccbd7f4ec83

SHA512
099475a6b3ff5121998ee9c4f3ef4b4622614409eb4d27d16228346750b667112b27b75141cc9461595925f259e6115f2c49b4840be0ad6799b134c1a1409d83

Download Submit
\Users\Admin\AppData\Roaming\qpgaime.exe

Filesize
28KB

MD5
1dffce8d118da3028da6a7f2c6015479

SHA1
627e5149dec1c88e5dad73775add734153e79a56

SHA256
f062ac7c16a5faae14d49c1fcd40f362690297edc629fb15c75fcccbd7f4ec83

SHA512
099475a6b3ff5121998ee9c4f3ef4b4622614409eb4d27d16228346750b667112b27b75141cc9461595925f259e6115f2c49b4840be0ad6799b134c1a1409d83

Download Submit
\Users\Admin\AppData\Roaming\qpgame.exe

Filesize
28KB

MD5
1dffce8d118da3028da6a7f2c6015479

SHA1
627e5149dec1c88e5dad73775add734153e79a56

SHA256
f062ac7c16a5faae14d49c1fcd40f362690297edc629fb15c75fcccbd7f4ec83

SHA512
099475a6b3ff5121998ee9c4f3ef4b4622614409eb4d27d16228346750b667112b27b75141cc9461595925f259e6115f2c49b4840be0ad6799b134c1a1409d83

Download Submit
\Users\Admin\AppData\Roaming\qpgame.exe

Filesize
28KB

MD5
1dffce8d118da3028da6a7f2c6015479

SHA1
627e5149dec1c88e5dad73775add734153e79a56

SHA256
f062ac7c16a5faae14d49c1fcd40f362690297edc629fb15c75fcccbd7f4ec83

SHA512
099475a6b3ff5121998ee9c4f3ef4b4622614409eb4d27d16228346750b667112b27b75141cc9461595925f259e6115f2c49b4840be0ad6799b134c1a1409d83

Download Submit
memory/268-112-0x0000000000000000-mapping.dmp

Download
memory/292-139-0x0000000000000000-mapping.dmp

Download
memory/384-79-0x0000000000000000-mapping.dmp

Download
memory/524-113-0x0000000000000000-mapping.dmp

Download
memory/556-119-0x0000000000000000-mapping.dmp

Download
memory/588-111-0x0000000000000000-mapping.dmp

Download
memory/760-92-0x0000000000000000-mapping.dmp

Download
memory/820-130-0x0000000000000000-mapping.dmp

Download
memory/868-65-0x0000000000000000-mapping.dmp

Download
memory/868-123-0x0000000073C21000-0x0000000073C23000-memory.dmp

Filesize
8KB

Download
memory/896-147-0x0000000000000000-mapping.dmp

Download
memory/992-85-0x0000000000000000-mapping.dmp

Download
memory/992-129-0x0000000000000000-mapping.dmp

Download
memory/1044-156-0x0000000000000000-mapping.dmp

Download
memory/1084-88-0x0000000000000000-mapping.dmp

Download
memory/1180-159-0x0000000003BF0000-0x0000000003C7E000-memory.dmp

Filesize
568KB

Download
memory/1180-75-0x0000000000000000-mapping.dmp

Download
memory/1180-158-0x0000000010000000-0x0000000010197000-memory.dmp

Filesize
1.6MB

Download
memory/1180-97-0x0000000003BF0000-0x0000000003C7E000-memory.dmp

Filesize
568KB

Download
memory/1180-93-0x0000000010000000-0x0000000010197000-memory.dmp

Filesize
1.6MB

Download
memory/1180-107-0x00000000040C0000-0x0000000004109000-memory.dmp

Filesize
292KB

Download
memory/1264-138-0x0000000000000000-mapping.dmp

Download
memory/1276-135-0x0000000000000000-mapping.dmp

Download
memory/1280-87-0x0000000000000000-mapping.dmp

Download
memory/1328-109-0x0000000000000000-mapping.dmp

Download
memory/1344-153-0x0000000000000000-mapping.dmp

Download
memory/1472-102-0x0000000000000000-mapping.dmp

Download
memory/1480-127-0x0000000000000000-mapping.dmp

Download
memory/1536-131-0x0000000000000000-mapping.dmp

Download
memory/1592-115-0x0000000000000000-mapping.dmp

Download
memory/1676-86-0x0000000000000000-mapping.dmp

Download
memory/1724-91-0x0000000000000000-mapping.dmp

Download
memory/1728-137-0x0000000000000000-mapping.dmp

Download
memory/1828-80-0x0000000000000000-mapping.dmp

Download
memory/1872-154-0x0000000000000000-mapping.dmp

Download
memory/1928-94-0x00000000741D1000-0x00000000741D3000-memory.dmp

Filesize
8KB

Download
memory/1928-69-0x0000000000000000-mapping.dmp

Download
memory/1928-105-0x0000000073D91000-0x0000000073D93000-memory.dmp

Filesize
8KB

Download
memory/1972-58-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/1972-62-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1972-71-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1972-56-0x0000000000000000-mapping.dmp

Download
memory/1976-118-0x0000000000000000-mapping.dmp

Download
memory/1992-61-0x0000000000190000-0x00000000001A9000-memory.dmp

Filesize
100KB

Download
memory/1992-60-0x0000000000190000-0x00000000001A9000-memory.dmp

Filesize
100KB

Download
memory/1992-83-0x0000000000190000-0x00000000001A9000-memory.dmp

Filesize
100KB

Download
memory/1992-82-0x0000000000190000-0x00000000001A9000-memory.dmp

Filesize
100KB

Download
memory/2000-120-0x0000000000000000-mapping.dmp

Download