5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5

Analysis

max time kernel
150s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe
Size

13.5MB
MD5

82de2c037ea20081eb8c9d4af793370e
SHA1

315ccb188e31d380e6898b27c6cfe14c234cb2fa
SHA256

5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5
SHA512

5f4268f32917dd66bc825be314fa5775e450b90b8cda278e471350cc07649eafda38a22562d1dcf2063387393abc80332d2dcc645994045cac68d5679a495941
SSDEEP

393216:5RnaDbX91KXjBO7EFTejMe/r8GEtbF5bPt5M2CsveW:z8bN1m1O4FCMe/wHbPkcvp

Score

9^/10

discovery exploit persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 6 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\{265A8BCB-E9D1-44BA-9FD8-63878A7DA1B0}\Disk1\ISSetup.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\{265A8BCB-E9D1-44BA-9FD8-63878A7DA1B0}\Disk1\ISSetup.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\{8DEF7C07-501A-4F02-9264-16E37B72B880}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\isrt.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\{8DEF7C07-501A-4F02-9264-16E37B72B880}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\isrt.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\{8DEF7C07-501A-4F02-9264-16E37B72B880}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\_IsRes.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\{8DEF7C07-501A-4F02-9264-16E37B72B880}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\_IsRes.dll	acprotect

Executes dropped EXE 5 IoCs

Processes:

qpgarne.exeqpgaime.exeqpgame.exeqpstars.exeISBEW64.exe

pid process

3696 qpgarne.exe
3620 qpgaime.exe
4224 qpgame.exe
4316 qpstars.exe
2376 ISBEW64.exe

pid	process
3696	qpgarne.exe
3620	qpgaime.exe
4224	qpgame.exe
4316	qpstars.exe
2376	ISBEW64.exe

Possible privilege escalation attempt 12 IoCs

exploit

Processes:

icacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exe

pid	process
3348	icacls.exe
364	takeown.exe
4664	takeown.exe
692	takeown.exe
2380	icacls.exe
4572	takeown.exe
4284	icacls.exe
1040	icacls.exe
3708	icacls.exe
2424	icacls.exe
2436	takeown.exe
2108	takeown.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpgarne.exe	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpgarne.exe	upx
behavioral2/memory/3696-135-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/3696-142-0x0000000000400000-0x0000000000419000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\{265A8BCB-E9D1-44BA-9FD8-63878A7DA1B0}\Disk1\ISSetup.dll	upx
C:\Users\Admin\AppData\Local\Temp\{265A8BCB-E9D1-44BA-9FD8-63878A7DA1B0}\Disk1\ISSetup.dll	upx
behavioral2/memory/4316-158-0x0000000002570000-0x0000000002707000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\{8DEF7C07-501A-4F02-9264-16E37B72B880}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\isrt.dll	upx
C:\Users\Admin\AppData\Local\Temp\{8DEF7C07-501A-4F02-9264-16E37B72B880}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\isrt.dll	upx
C:\Users\Admin\AppData\Local\Temp\{8DEF7C07-501A-4F02-9264-16E37B72B880}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\_IsRes.dll	upx
C:\Users\Admin\AppData\Local\Temp\{8DEF7C07-501A-4F02-9264-16E37B72B880}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\_IsRes.dll	upx
behavioral2/memory/4316-170-0x0000000003640000-0x00000000036CE000-memory.dmp	upx
behavioral2/memory/4316-171-0x0000000003A00000-0x0000000003A49000-memory.dmp	upx
behavioral2/memory/4316-181-0x0000000002570000-0x0000000002707000-memory.dmp	upx
behavioral2/memory/4316-208-0x0000000003640000-0x00000000036CE000-memory.dmp	upx

Loads dropped DLL 10 IoCs

Processes:

qpstars.exe

pid	process
4316	qpstars.exe
4316	qpstars.exe
4316	qpstars.exe
4316	qpstars.exe
4316	qpstars.exe
4316	qpstars.exe
4316	qpstars.exe
4316	qpstars.exe
4316	qpstars.exe
4316	qpstars.exe

Modifies file permissions 1 TTPs 12 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	process
4572	takeown.exe
2436	takeown.exe
3348	icacls.exe
2108	takeown.exe
1040	icacls.exe
364	takeown.exe
3708	icacls.exe
692	takeown.exe
2424	icacls.exe
4284	icacls.exe
4664	takeown.exe
2380	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 14 IoCs

Processes:

qpgame.exeqpgaime.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\1238A8E.tmp	qpgame.exe
File opened for modification	C:\Windows\SysWOW64\1235C17.tmp	qpgame.exe
File opened for modification	C:\Windows\SysWOW64\1235C18.tmp	qpgaime.exe
File opened for modification	C:\Windows\SysWOW64\1238069.tmp	qpgame.exe
File opened for modification	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	qpgaime.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	qpgame.exe
File opened for modification	C:\Windows\SysWOW64\dllcache\midimap.dll	qpgaime.exe
File opened for modification	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	qpgaime.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	qpgame.exe
File opened for modification	C:\Windows\SysWOW64\1238A8F.tmp	qpgaime.exe
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	qpgame.exe
File opened for modification	C:\Windows\SysWOW64\12380D6.tmp	qpgaime.exe
File created	C:\Windows\SysWOW64\sxload.tmp	qpgame.exe
File opened for modification	C:\Windows\SysWOW64\sxload.tmp	qpgaime.exe

Drops file in Program Files directory 2 IoCs

Processes:

qpgame.exeqpgaime.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxqp.tmp	qpgame.exe
File opened for modification	C:\Program Files (x86)\Common Files\sxqp.tmp	qpgaime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3076 taskkill.exe
4120 taskkill.exe

pid	process
3076	taskkill.exe
4120	taskkill.exe

Modifies registry class 24 IoCs

Processes:

qpstars.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\ = "ISENG64Lib"	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\0\win32\ = "C:\\ProgramData\\InstallShield\\ISEngine12.0\\IsBE.dll"	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\HELPDIR	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib\Version = "1.0"	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\FLAGS	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\FLAGS\ = "0"	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\0\win32	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib\ = "{7B90789A-10ED-4F8A-B537-8AB74FED0023}"	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib\Version = "1.0"	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\TypeLib\ = "{7B90789A-10ED-4F8A-B537-8AB74FED0023}"	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\0	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B90789A-10ED-4F8A-B537-8AB74FED0023}\1.0\HELPDIR\ = "C:\\ProgramData\\InstallShield\\ISEngine12.0"	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ = "IISBEW64Utils"	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ = "IISBEW64Utils"	qpstars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32	qpstars.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101A9FA5-98CB-4AC3-B67C-3DC040C45996}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	qpstars.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

qpgame.exeqpgaime.exe

pid process

4224 qpgame.exe
4224 qpgame.exe
3620 qpgaime.exe
3620 qpgaime.exe

pid	process
4224	qpgame.exe
4224	qpgame.exe
3620	qpgaime.exe
3620	qpgaime.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

qpgaime.exeqpgame.exetakeown.exetakeown.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3620	qpgaime.exe
Token: SeDebugPrivilege	4224	qpgame.exe
Token: SeTakeOwnershipPrivilege	4572	takeown.exe
Token: SeTakeOwnershipPrivilege	2436	takeown.exe
Token: SeDebugPrivilege	4120	taskkill.exe
Token: SeDebugPrivilege	3076	taskkill.exe

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

qpgaime.exeqpgame.exe

pid	process
3620	qpgaime.exe
4224	qpgame.exe
4224	qpgame.exe
3620	qpgaime.exe
4224	qpgame.exe
4224	qpgame.exe
3620	qpgaime.exe
3620	qpgaime.exe
4224	qpgame.exe
3620	qpgaime.exe
3620	qpgaime.exe
4224	qpgame.exe
4224	qpgame.exe
4224	qpgame.exe
3620	qpgaime.exe
3620	qpgaime.exe
4224	qpgame.exe
3620	qpgaime.exe
4224	qpgame.exe
3620	qpgaime.exe
4224	qpgame.exe
3620	qpgaime.exe
4224	qpgame.exe
3620	qpgaime.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exeqpgarne.exeqpgaime.exeqpgame.execmd.execmd.execmd.execmd.exeqpstars.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2480 wrote to memory of 3696	2480	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe	qpgarne.exe
PID 2480 wrote to memory of 3696	2480	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe	qpgarne.exe
PID 2480 wrote to memory of 3696	2480	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe	qpgarne.exe
PID 3696 wrote to memory of 3620	3696	qpgarne.exe	qpgaime.exe
PID 3696 wrote to memory of 3620	3696	qpgarne.exe	qpgaime.exe
PID 3696 wrote to memory of 3620	3696	qpgarne.exe	qpgaime.exe
PID 3696 wrote to memory of 4224	3696	qpgarne.exe	qpgame.exe
PID 3696 wrote to memory of 4224	3696	qpgarne.exe	qpgame.exe
PID 3696 wrote to memory of 4224	3696	qpgarne.exe	qpgame.exe
PID 3620 wrote to memory of 4980	3620	qpgaime.exe	cmd.exe
PID 3620 wrote to memory of 4980	3620	qpgaime.exe	cmd.exe
PID 3620 wrote to memory of 4980	3620	qpgaime.exe	cmd.exe
PID 4224 wrote to memory of 4272	4224	qpgame.exe	cmd.exe
PID 4224 wrote to memory of 4272	4224	qpgame.exe	cmd.exe
PID 4224 wrote to memory of 4272	4224	qpgame.exe	cmd.exe
PID 4980 wrote to memory of 2144	4980	cmd.exe	cmd.exe
PID 4980 wrote to memory of 2144	4980	cmd.exe	cmd.exe
PID 4980 wrote to memory of 2144	4980	cmd.exe	cmd.exe
PID 2480 wrote to memory of 4316	2480	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe	qpstars.exe
PID 2480 wrote to memory of 4316	2480	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe	qpstars.exe
PID 2480 wrote to memory of 4316	2480	5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe	qpstars.exe
PID 4272 wrote to memory of 1828	4272	cmd.exe	cmd.exe
PID 4272 wrote to memory of 1828	4272	cmd.exe	cmd.exe
PID 4272 wrote to memory of 1828	4272	cmd.exe	cmd.exe
PID 2144 wrote to memory of 4572	2144	cmd.exe	takeown.exe
PID 2144 wrote to memory of 4572	2144	cmd.exe	takeown.exe
PID 2144 wrote to memory of 4572	2144	cmd.exe	takeown.exe
PID 1828 wrote to memory of 2436	1828	cmd.exe	takeown.exe
PID 1828 wrote to memory of 2436	1828	cmd.exe	takeown.exe
PID 1828 wrote to memory of 2436	1828	cmd.exe	takeown.exe
PID 4272 wrote to memory of 3348	4272	cmd.exe	icacls.exe
PID 4980 wrote to memory of 4284	4980	cmd.exe	icacls.exe
PID 4272 wrote to memory of 3348	4272	cmd.exe	icacls.exe
PID 4272 wrote to memory of 3348	4272	cmd.exe	icacls.exe
PID 4980 wrote to memory of 4284	4980	cmd.exe	icacls.exe
PID 4980 wrote to memory of 4284	4980	cmd.exe	icacls.exe
PID 4316 wrote to memory of 2376	4316	qpstars.exe	ISBEW64.exe
PID 4316 wrote to memory of 2376	4316	qpstars.exe	ISBEW64.exe
PID 4224 wrote to memory of 4992	4224	qpgame.exe	cmd.exe
PID 4224 wrote to memory of 4992	4224	qpgame.exe	cmd.exe
PID 4224 wrote to memory of 4992	4224	qpgame.exe	cmd.exe
PID 3620 wrote to memory of 2304	3620	qpgaime.exe	cmd.exe
PID 3620 wrote to memory of 2304	3620	qpgaime.exe	cmd.exe
PID 3620 wrote to memory of 2304	3620	qpgaime.exe	cmd.exe
PID 4992 wrote to memory of 5064	4992	cmd.exe	cmd.exe
PID 4992 wrote to memory of 5064	4992	cmd.exe	cmd.exe
PID 4992 wrote to memory of 5064	4992	cmd.exe	cmd.exe
PID 5064 wrote to memory of 2108	5064	cmd.exe	takeown.exe
PID 5064 wrote to memory of 2108	5064	cmd.exe	takeown.exe
PID 5064 wrote to memory of 2108	5064	cmd.exe	takeown.exe
PID 2304 wrote to memory of 2664	2304	cmd.exe	cmd.exe
PID 2304 wrote to memory of 2664	2304	cmd.exe	cmd.exe
PID 2304 wrote to memory of 2664	2304	cmd.exe	cmd.exe
PID 4992 wrote to memory of 1040	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 1040	4992	cmd.exe	icacls.exe
PID 4992 wrote to memory of 1040	4992	cmd.exe	icacls.exe
PID 2664 wrote to memory of 364	2664	cmd.exe	takeown.exe
PID 2664 wrote to memory of 364	2664	cmd.exe	takeown.exe
PID 2664 wrote to memory of 364	2664	cmd.exe	takeown.exe
PID 2304 wrote to memory of 3708	2304	cmd.exe	icacls.exe
PID 2304 wrote to memory of 3708	2304	cmd.exe	icacls.exe
PID 2304 wrote to memory of 3708	2304	cmd.exe	icacls.exe
PID 4224 wrote to memory of 644	4224	qpgame.exe	cmd.exe
PID 4224 wrote to memory of 644	4224	qpgame.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe
"C:\Users\Admin\AppData\Local\Temp\5a4910267d536ebda33f150cb26541d6240f9091f7876dbcb5e306f2e1a455a5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpgarne.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpgarne.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696

C:\Users\Admin\AppData\Roaming\qpgaime.exe
"C:\Users\Admin\AppData\Roaming\qpgaime.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
5⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
5⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:364

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
4⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
5⤵
PID:4480

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2424

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "hall.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
4⤵
PID:4936

C:\Users\Admin\AppData\Roaming\qpgame.exe
"C:\Users\Admin\AppData\Roaming\qpgame.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
5⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
5⤵
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2108

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
4⤵
PID:644

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
5⤵
PID:4424

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2380

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "hall.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
4⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpstars.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpstars.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4316

C:\Users\Admin\AppData\Local\Temp\{8DEF7C07-501A-4F02-9264-16E37B72B880}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{8DEF7C07-501A-4F02-9264-16E37B72B880}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5CC842A8-3322-463B-A2D5-EFDD1EFF16B2}
3⤵
- Executes dropped EXE
PID:2376

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4664

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\sxqp.tmp
Filesize
55KB

MD5
58ee791c522b4ab2749e716644ff29c3

SHA1
be0c1af57af5284f42edfabf1847e6376ed3c67e

SHA256
76495990967fd184d0682dc7215f72f78c4cf8301734956bac224ef20d90c733

SHA512
67a6caed931fba857d5286116ee38cce53821cb1b30ee7b9f4cfd3ee2ee76e5266406314d394202cc9d7c1831d4b376bc9f8014c0957570cb3cdb06ed84a0ad0

Download Submit
C:\ProgramData\InstallShield\ISEngine12.0\IsBE.dll
Filesize
52KB

MD5
9cf7faee57a20bf15a2fc9b423ebc512

SHA1
12cbf4d0a941bd5a8f847754fdaf4841e7751cce

SHA256
d34f26d85bfb94a5f017fdaf58b94ecf9553919d2aa9a9955ff0a2e3d7c11e4a

SHA512
44c715be4a98b9ce99c6d926500be3e365f8a08a4d8c85ae9342dc9ce76de29544f14acbf42d69f7f9e40ebdf0c6faa8cb5d4b3fc9d523479b12cf0823678672

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.bat
Filesize
260B

MD5
ebf5cd4412c770fb62a71d468cf525e8

SHA1
dad601802c75e477055041072277e55e1146b4b4

SHA256
92479588ed04dc0ca1e08c938e8fc7b1f55e0ae69c2e55849959539ed0b71a5a

SHA512
e856f628a20bb18ee1e7aaae35efb6b4f4776264cd3bfc09bb197b81dda9167b14ae77615f7b4d0255449462118207f0bc79f8606096fc0423f8dce4da9f8aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.bat
Filesize
260B

MD5
ebf5cd4412c770fb62a71d468cf525e8

SHA1
dad601802c75e477055041072277e55e1146b4b4

SHA256
92479588ed04dc0ca1e08c938e8fc7b1f55e0ae69c2e55849959539ed0b71a5a

SHA512
e856f628a20bb18ee1e7aaae35efb6b4f4776264cd3bfc09bb197b81dda9167b14ae77615f7b4d0255449462118207f0bc79f8606096fc0423f8dce4da9f8aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpgarne.exe
Filesize
97KB

MD5
374aeda833a2fdb958c0df8f457ae115

SHA1
cfeb839135b642a2f1b82e28e7f77e245777f85e

SHA256
6cbb0e564c277667eaccf1b19d679f274d5c75eecf87b3cc2ac4a07b795f078d

SHA512
055f3232ee3ef6ad65ff3fc09ea3b801ae48666d203b2fb79bdb8e7af1d047b8386fddba3237c11dfacc10a1eda07694e40cb67e2001f58390b15b7d9fc40ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpgarne.exe
Filesize
97KB

MD5
374aeda833a2fdb958c0df8f457ae115

SHA1
cfeb839135b642a2f1b82e28e7f77e245777f85e

SHA256
6cbb0e564c277667eaccf1b19d679f274d5c75eecf87b3cc2ac4a07b795f078d

SHA512
055f3232ee3ef6ad65ff3fc09ea3b801ae48666d203b2fb79bdb8e7af1d047b8386fddba3237c11dfacc10a1eda07694e40cb67e2001f58390b15b7d9fc40ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpstars.exe
Filesize
14.5MB

MD5
304ad8ada59cf485e15b9853a1194e92

SHA1
f654980a4931b2f4582ea248d95eaf002589ca6d

SHA256
cbc5afc6ea85869f3bdffcc5a7b3b03cb056601e698debd7a6d49939c0d14d49

SHA512
e7b6be2c86adf396b5a138d2f90aa99362dddd037f067e6396fafb8a7cb2ef3794d954c39df6f584b9578ead88f425034d99d1f6f6690341796734534aeebee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qpstars.exe
Filesize
14.5MB

MD5
304ad8ada59cf485e15b9853a1194e92

SHA1
f654980a4931b2f4582ea248d95eaf002589ca6d

SHA256
cbc5afc6ea85869f3bdffcc5a7b3b03cb056601e698debd7a6d49939c0d14d49

SHA512
e7b6be2c86adf396b5a138d2f90aa99362dddd037f067e6396fafb8a7cb2ef3794d954c39df6f584b9578ead88f425034d99d1f6f6690341796734534aeebee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{265A8BCB-E9D1-44BA-9FD8-63878A7DA1B0}\Disk1\ISSetup.dll
Filesize
539KB

MD5
708814a62ba813cea1a94bb77d68195b

SHA1
39c99a215751832481dc9b2ac2d6dbb17435195d

SHA256
999c523b3e43f399966a49f3caeb2a7d8ccb39d5911dfe71fd15a6a0aa2b87fe

SHA512
426cd1a12e42212ff541b3bd9c239282d548596487929b17c657056958d71a77fce209c5daa606af4d0eb6c5f74779b6d332997d00e71f6ec80fd18407c57bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{265A8BCB-E9D1-44BA-9FD8-63878A7DA1B0}\Disk1\ISSetup.dll
Filesize
539KB

MD5
708814a62ba813cea1a94bb77d68195b

SHA1
39c99a215751832481dc9b2ac2d6dbb17435195d

SHA256
999c523b3e43f399966a49f3caeb2a7d8ccb39d5911dfe71fd15a6a0aa2b87fe

SHA512
426cd1a12e42212ff541b3bd9c239282d548596487929b17c657056958d71a77fce209c5daa606af4d0eb6c5f74779b6d332997d00e71f6ec80fd18407c57bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{265A8BCB-E9D1-44BA-9FD8-63878A7DA1B0}\_Setup.dll
Filesize
376KB

MD5
2985a79020ec96afc2d1c8ab318b866f

SHA1
01e801eaa82ace4d521c651dadddacfb4fb278d9

SHA256
f9a007b9ec4a20fecfc004662028226e11ada038be69eab586c03a903c73fbad

SHA512
b496d72a942d3f95a062807fdd7c487d836e2c850ec5422967fbb5fe5bdb467806be24b09fa1ee035494e73ed9725e2fa441ec807d94423e873abef8eae94b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\{265A8BCB-E9D1-44BA-9FD8-63878A7DA1B0}\_Setup.dll
Filesize
376KB

MD5
2985a79020ec96afc2d1c8ab318b866f

SHA1
01e801eaa82ace4d521c651dadddacfb4fb278d9

SHA256
f9a007b9ec4a20fecfc004662028226e11ada038be69eab586c03a903c73fbad

SHA512
b496d72a942d3f95a062807fdd7c487d836e2c850ec5422967fbb5fe5bdb467806be24b09fa1ee035494e73ed9725e2fa441ec807d94423e873abef8eae94b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8DEF7C07-501A-4F02-9264-16E37B72B880}\ISBEW64.exe
Filesize
68KB

MD5
4b56c021299344676f123fcb48f53c1e

SHA1
cbef3152c477c9176120030b164a4a807b527d8e

SHA256
0444971c7c19df0c4e5f8ad75c12ac277638470460eb7747122539960ed5e99f

SHA512
097bbc9f0140e9a14e494b6569e38b88ad390d6befa03e75a8c671e2e5fd93ee55ad50994733c957c32c85f2061d6f4d32b4b8257b3b44d5924ca10e940f779a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8DEF7C07-501A-4F02-9264-16E37B72B880}\ISBEW64.exe
Filesize
68KB

MD5
4b56c021299344676f123fcb48f53c1e

SHA1
cbef3152c477c9176120030b164a4a807b527d8e

SHA256
0444971c7c19df0c4e5f8ad75c12ac277638470460eb7747122539960ed5e99f

SHA512
097bbc9f0140e9a14e494b6569e38b88ad390d6befa03e75a8c671e2e5fd93ee55ad50994733c957c32c85f2061d6f4d32b4b8257b3b44d5924ca10e940f779a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8DEF7C07-501A-4F02-9264-16E37B72B880}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\_ISUser.dll
Filesize
160KB

MD5
efa7734e44fb5ea4f7142069727fd7d4

SHA1
66117a2c5a6c5c2d9773cabb2d7f138344a6511b

SHA256
72bf7d6529cbd30b5d532c7792b7e1b048d60bb2d8b59d19a1afd5f8122318ed

SHA512
d054ce60e04d8e45bde23c34a16baa3320559c6fb2722b5a87997c2d5043d950a2764dbb0b649fe695886e66ee19638c3ae5fb31941fa54b9aa517521e20d38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8DEF7C07-501A-4F02-9264-16E37B72B880}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\_ISUser.dll
Filesize
160KB

MD5
efa7734e44fb5ea4f7142069727fd7d4

SHA1
66117a2c5a6c5c2d9773cabb2d7f138344a6511b

SHA256
72bf7d6529cbd30b5d532c7792b7e1b048d60bb2d8b59d19a1afd5f8122318ed

SHA512
d054ce60e04d8e45bde23c34a16baa3320559c6fb2722b5a87997c2d5043d950a2764dbb0b649fe695886e66ee19638c3ae5fb31941fa54b9aa517521e20d38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8DEF7C07-501A-4F02-9264-16E37B72B880}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\_IsRes.dll
Filesize
82KB

MD5
72927c6e0d47e9f9f99977834e95e30f

SHA1
3ce88569ec60b41ad2c9ceea9db88d7af16887ac

SHA256
ed4790f99f36678635aefc403e3ff89e7f2b116fbdf3add1bc7c3f4ff914b6fe

SHA512
793e0f9b9dda2cda72e43877156b85fcc8f0c436f6b12bc0fdd3cee66eee44d41f92ba3e82b1249866b9db84c8b93254080b05d948f25d25c3b94596707220a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8DEF7C07-501A-4F02-9264-16E37B72B880}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\_IsRes.dll
Filesize
82KB

MD5
72927c6e0d47e9f9f99977834e95e30f

SHA1
3ce88569ec60b41ad2c9ceea9db88d7af16887ac

SHA256
ed4790f99f36678635aefc403e3ff89e7f2b116fbdf3add1bc7c3f4ff914b6fe

SHA512
793e0f9b9dda2cda72e43877156b85fcc8f0c436f6b12bc0fdd3cee66eee44d41f92ba3e82b1249866b9db84c8b93254080b05d948f25d25c3b94596707220a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8DEF7C07-501A-4F02-9264-16E37B72B880}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\isrt.dll
Filesize
203KB

MD5
b35dde51d14f9400e73196693148734e

SHA1
9410c5268f5558e57d044780d0d5dcc7aa181299

SHA256
70fa7f0aa2feb397597b2785a4bfdb2c9cd36e0edb51f4f0dfe6ac086290ac86

SHA512
6bb24c8864078c923007c1818bb0a590ebe84e2fbe6f2642dc951b05c42da1c33861f150c4ea8943657259c1c309a69b8cb1817b6a207cb9e577bc3aa8bfa79d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8DEF7C07-501A-4F02-9264-16E37B72B880}\{C6DB1A2A-DD1A-4947-A0E1-0B305F5180E5}\isrt.dll
Filesize
203KB

MD5
b35dde51d14f9400e73196693148734e

SHA1
9410c5268f5558e57d044780d0d5dcc7aa181299

SHA256
70fa7f0aa2feb397597b2785a4bfdb2c9cd36e0edb51f4f0dfe6ac086290ac86

SHA512
6bb24c8864078c923007c1818bb0a590ebe84e2fbe6f2642dc951b05c42da1c33861f150c4ea8943657259c1c309a69b8cb1817b6a207cb9e577bc3aa8bfa79d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize
9KB

MD5
ad87ae82c52c35a2b0dc62ae8f82fc68

SHA1
20683859b57620f19a55a462189966a25d5e82c1

SHA256
b103050968fc468b04fc40617ecaf4931acf2c1ec7bd0cb5bf7b740160fd8aac

SHA512
cbd3ab20ede57e15dbffd3866583ad4a4fc8d6d5687cdd7f3710d8308e7972f0f878861745dc0f9406d5926016beb4cd4374a8302d66e6c0a5b90c85518426d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize
9KB

MD5
00c3e928461e1cc2eaf36c4de064bba2

SHA1
bb2f3d783685d97bc916e03b1f5c28a281c3f91e

SHA256
22ec73da378b3ccc8144dd7e042905e1714ffd36ff2d34f86c49d0f017d8ab97

SHA512
642e5d24619503b98282bd8059083b48e2e996616ca6a0e5107807ed2221404c4fe0aa8393e0a44f16158633a7f28366cd5915acff061eb0f94460796fb8ce0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize
9KB

MD5
00c3e928461e1cc2eaf36c4de064bba2

SHA1
bb2f3d783685d97bc916e03b1f5c28a281c3f91e

SHA256
22ec73da378b3ccc8144dd7e042905e1714ffd36ff2d34f86c49d0f017d8ab97

SHA512
642e5d24619503b98282bd8059083b48e2e996616ca6a0e5107807ed2221404c4fe0aa8393e0a44f16158633a7f28366cd5915acff061eb0f94460796fb8ce0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize
9KB

MD5
54090fd50f0f00e548803e974c3b7b84

SHA1
eb47c864becd8ae86ced5fbb1bb5b2006102e7c8

SHA256
dd71287de4d756643683d6caf0527cf5451c88196c9428efd8359eff871bad7a

SHA512
7b285ab32d71bc84fe867c223a92911ffd792c473c02c133bfe1a29baa89756b019a1946172fc0822d0a44c2d85cc8f28a60b333f0512d7229f194ae071de147

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize
9KB

MD5
54090fd50f0f00e548803e974c3b7b84

SHA1
eb47c864becd8ae86ced5fbb1bb5b2006102e7c8

SHA256
dd71287de4d756643683d6caf0527cf5451c88196c9428efd8359eff871bad7a

SHA512
7b285ab32d71bc84fe867c223a92911ffd792c473c02c133bfe1a29baa89756b019a1946172fc0822d0a44c2d85cc8f28a60b333f0512d7229f194ae071de147

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize
9KB

MD5
54090fd50f0f00e548803e974c3b7b84

SHA1
eb47c864becd8ae86ced5fbb1bb5b2006102e7c8

SHA256
dd71287de4d756643683d6caf0527cf5451c88196c9428efd8359eff871bad7a

SHA512
7b285ab32d71bc84fe867c223a92911ffd792c473c02c133bfe1a29baa89756b019a1946172fc0822d0a44c2d85cc8f28a60b333f0512d7229f194ae071de147

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize
9KB

MD5
54090fd50f0f00e548803e974c3b7b84

SHA1
eb47c864becd8ae86ced5fbb1bb5b2006102e7c8

SHA256
dd71287de4d756643683d6caf0527cf5451c88196c9428efd8359eff871bad7a

SHA512
7b285ab32d71bc84fe867c223a92911ffd792c473c02c133bfe1a29baa89756b019a1946172fc0822d0a44c2d85cc8f28a60b333f0512d7229f194ae071de147

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize
9KB

MD5
3c4d0c03a48ce7376ee8796942fe54f0

SHA1
c90cc2f9ad5c732835ea46d2f4541ede9c28b3c2

SHA256
b40cc109f3339a537270732b1b0a61d53b60f63def7e524bfb823eb7523606ab

SHA512
831bf4994c79995284cecbef76034f246d9f276c65fc5fa502b42e47c32d92a9c39d4b3ac5cb5ddf179ceef247c7a2fd2bd9e5805e93cccd1f1941328eb42d61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize
9KB

MD5
74edf0d152ffcbf572448a9d2bbe9087

SHA1
ced61693bcc18465223d636b4c3cb34b319a70e8

SHA256
7737bb998c573d7ff9733d74b7b7c1442d3c6b938da7ac6492f5f43411b9596c

SHA512
d10506e2b1ab23907cbf84ac8b08db23e9e126ae496efa94fb73529d03d781c3c5d4faa4fc02c8caa57e0e8261f29d9ed636d5f5ecc934fe07d7c781bcb38177

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize
9KB

MD5
74edf0d152ffcbf572448a9d2bbe9087

SHA1
ced61693bcc18465223d636b4c3cb34b319a70e8

SHA256
7737bb998c573d7ff9733d74b7b7c1442d3c6b938da7ac6492f5f43411b9596c

SHA512
d10506e2b1ab23907cbf84ac8b08db23e9e126ae496efa94fb73529d03d781c3c5d4faa4fc02c8caa57e0e8261f29d9ed636d5f5ecc934fe07d7c781bcb38177

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize
9KB

MD5
74edf0d152ffcbf572448a9d2bbe9087

SHA1
ced61693bcc18465223d636b4c3cb34b319a70e8

SHA256
7737bb998c573d7ff9733d74b7b7c1442d3c6b938da7ac6492f5f43411b9596c

SHA512
d10506e2b1ab23907cbf84ac8b08db23e9e126ae496efa94fb73529d03d781c3c5d4faa4fc02c8caa57e0e8261f29d9ed636d5f5ecc934fe07d7c781bcb38177

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize
9KB

MD5
ac6d6e8ec8c3ea356f6dcbc44baed1c2

SHA1
2e93def2c8bf582d6808e580d1927ebf3700f82d

SHA256
03e0299aa7a7b5442696b54898317c834746a398fef5fefd675dc9e38b4a65b5

SHA512
90efd4cada2dac016b2b255b58f7779b5f44220ae6302275a5af0f4bbbd554ca88fb886d3ad8221b9b7128a050d90ce1ff7a998f771f033e2e7f9f033ee887ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize
9KB

MD5
ac6d6e8ec8c3ea356f6dcbc44baed1c2

SHA1
2e93def2c8bf582d6808e580d1927ebf3700f82d

SHA256
03e0299aa7a7b5442696b54898317c834746a398fef5fefd675dc9e38b4a65b5

SHA512
90efd4cada2dac016b2b255b58f7779b5f44220ae6302275a5af0f4bbbd554ca88fb886d3ad8221b9b7128a050d90ce1ff7a998f771f033e2e7f9f033ee887ba

Download Submit
C:\Users\Admin\AppData\Roaming\qpgaime.exe
Filesize
28KB

MD5
1dffce8d118da3028da6a7f2c6015479

SHA1
627e5149dec1c88e5dad73775add734153e79a56

SHA256
f062ac7c16a5faae14d49c1fcd40f362690297edc629fb15c75fcccbd7f4ec83

SHA512
099475a6b3ff5121998ee9c4f3ef4b4622614409eb4d27d16228346750b667112b27b75141cc9461595925f259e6115f2c49b4840be0ad6799b134c1a1409d83

Download Submit
C:\Users\Admin\AppData\Roaming\qpgaime.exe
Filesize
28KB

MD5
1dffce8d118da3028da6a7f2c6015479

SHA1
627e5149dec1c88e5dad73775add734153e79a56

SHA256
f062ac7c16a5faae14d49c1fcd40f362690297edc629fb15c75fcccbd7f4ec83

SHA512
099475a6b3ff5121998ee9c4f3ef4b4622614409eb4d27d16228346750b667112b27b75141cc9461595925f259e6115f2c49b4840be0ad6799b134c1a1409d83

Download Submit
C:\Users\Admin\AppData\Roaming\qpgame.exe
Filesize
28KB

MD5
1dffce8d118da3028da6a7f2c6015479

SHA1
627e5149dec1c88e5dad73775add734153e79a56

SHA256
f062ac7c16a5faae14d49c1fcd40f362690297edc629fb15c75fcccbd7f4ec83

SHA512
099475a6b3ff5121998ee9c4f3ef4b4622614409eb4d27d16228346750b667112b27b75141cc9461595925f259e6115f2c49b4840be0ad6799b134c1a1409d83

Download Submit
C:\Users\Admin\AppData\Roaming\qpgame.exe
Filesize
28KB

MD5
1dffce8d118da3028da6a7f2c6015479

SHA1
627e5149dec1c88e5dad73775add734153e79a56

SHA256
f062ac7c16a5faae14d49c1fcd40f362690297edc629fb15c75fcccbd7f4ec83

SHA512
099475a6b3ff5121998ee9c4f3ef4b4622614409eb4d27d16228346750b667112b27b75141cc9461595925f259e6115f2c49b4840be0ad6799b134c1a1409d83

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll
Filesize
192KB

MD5
34153e39b10468c9ae8ec7f68dfbc423

SHA1
68e2cd47c99122786fb494453380ec8dd24bbf39

SHA256
5c2ba6d0d9578b3f18e27710a7b5f65d858c38448b201d29fde9d44ea7bfb9fd

SHA512
513bf7c8c8ffddc25b6989c88f1efb3e3079f81ca544cd27c99135f6fabd99578dccc1091e56e144e0436f99ede939565a52ca8f6fe08f3ad8b190d523a97820

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll
Filesize
192KB

MD5
34153e39b10468c9ae8ec7f68dfbc423

SHA1
68e2cd47c99122786fb494453380ec8dd24bbf39

SHA256
5c2ba6d0d9578b3f18e27710a7b5f65d858c38448b201d29fde9d44ea7bfb9fd

SHA512
513bf7c8c8ffddc25b6989c88f1efb3e3079f81ca544cd27c99135f6fabd99578dccc1091e56e144e0436f99ede939565a52ca8f6fe08f3ad8b190d523a97820

Download Submit
C:\Windows\SysWOW64\dllcache\midimap.dll
Filesize
18KB

MD5
1168192f4871ffa51129435f37fedbc4

SHA1
8dbe0e254563d21fb2d2ab2c0400ae2f200b9b2c

SHA256
7586ad459835579e71f88bbb9c05e6f9174ff0721d5826eb990b4669655a1033

SHA512
528b63d398e571d64adb7200370822cb9335e75a25b7022302aa2518f5acb31975d93b310e78914a97903e52bd7a731599336a0c5acff417201a614bf519a639

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
12KB

MD5
9936cb0ca376b02afdad243af3d54cfe

SHA1
9f448a16fbc4b93e2642ab5fbd83d8b1417e37d6

SHA256
491bb277e0eeaf2cabdf9d129fce13c485e9b9e0c48a55c399fc869122ad9acf

SHA512
7e5a36e184709676578f76502f0f753b8e7031923af01e30985ac1daa3ea4c5bd0dda467036ee91461c9ce0808ea30c701e72a77a9426396b44ebd6e1a7eb478

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
12KB

MD5
9936cb0ca376b02afdad243af3d54cfe

SHA1
9f448a16fbc4b93e2642ab5fbd83d8b1417e37d6

SHA256
491bb277e0eeaf2cabdf9d129fce13c485e9b9e0c48a55c399fc869122ad9acf

SHA512
7e5a36e184709676578f76502f0f753b8e7031923af01e30985ac1daa3ea4c5bd0dda467036ee91461c9ce0808ea30c701e72a77a9426396b44ebd6e1a7eb478

Download Submit
C:\Windows\SysWOW64\iphlpapi.dll
Filesize
192KB

MD5
34153e39b10468c9ae8ec7f68dfbc423

SHA1
68e2cd47c99122786fb494453380ec8dd24bbf39

SHA256
5c2ba6d0d9578b3f18e27710a7b5f65d858c38448b201d29fde9d44ea7bfb9fd

SHA512
513bf7c8c8ffddc25b6989c88f1efb3e3079f81ca544cd27c99135f6fabd99578dccc1091e56e144e0436f99ede939565a52ca8f6fe08f3ad8b190d523a97820

Download Submit
C:\Windows\SysWOW64\midimap.dll
Filesize
18KB

MD5
1168192f4871ffa51129435f37fedbc4

SHA1
8dbe0e254563d21fb2d2ab2c0400ae2f200b9b2c

SHA256
7586ad459835579e71f88bbb9c05e6f9174ff0721d5826eb990b4669655a1033

SHA512
528b63d398e571d64adb7200370822cb9335e75a25b7022302aa2518f5acb31975d93b310e78914a97903e52bd7a731599336a0c5acff417201a614bf519a639

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll
Filesize
12KB

MD5
9936cb0ca376b02afdad243af3d54cfe

SHA1
9f448a16fbc4b93e2642ab5fbd83d8b1417e37d6

SHA256
491bb277e0eeaf2cabdf9d129fce13c485e9b9e0c48a55c399fc869122ad9acf

SHA512
7e5a36e184709676578f76502f0f753b8e7031923af01e30985ac1daa3ea4c5bd0dda467036ee91461c9ce0808ea30c701e72a77a9426396b44ebd6e1a7eb478

Download Submit
C:\Windows\SysWOW64\sxload.tmp
Filesize
5KB

MD5
7e82aa06e5669b76006d3daac566835e

SHA1
1b541f0178a1628c372b770b236e461c76be0ae1

SHA256
b1542a8b5f6c5ca93cb515de16c11fd13e020d2c047b9a2f865ef0960c23a3cb

SHA512
940169084829f05587968954bebc0472f876eac8c86b4b7c60bb8421fe051ec1115f8b898d9e0f80f7a22d124759c1ec9edc3b0fba67f180e9612262693ad750

Download Submit
memory/364-187-0x0000000000000000-mapping.dmp

Download
memory/644-195-0x0000000000000000-mapping.dmp

Download
memory/692-203-0x0000000000000000-mapping.dmp

Download
memory/1040-186-0x0000000000000000-mapping.dmp

Download
memory/1660-199-0x0000000000000000-mapping.dmp

Download
memory/1672-221-0x0000000000000000-mapping.dmp

Download
memory/1828-151-0x0000000000000000-mapping.dmp

Download
memory/2108-184-0x0000000000000000-mapping.dmp

Download
memory/2144-147-0x0000000000000000-mapping.dmp

Download
memory/2304-180-0x0000000000000000-mapping.dmp

Download
memory/2376-167-0x0000000000000000-mapping.dmp

Download
memory/2380-205-0x0000000000000000-mapping.dmp

Download
memory/2424-206-0x0000000000000000-mapping.dmp

Download
memory/2436-153-0x0000000000000000-mapping.dmp

Download
memory/2664-185-0x0000000000000000-mapping.dmp

Download
memory/3076-219-0x0000000000000000-mapping.dmp

Download
memory/3348-154-0x0000000000000000-mapping.dmp

Download
memory/3620-136-0x0000000000000000-mapping.dmp

Download
memory/3696-132-0x0000000000000000-mapping.dmp

Download
memory/3696-135-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3696-142-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3708-188-0x0000000000000000-mapping.dmp

Download
memory/4120-218-0x0000000000000000-mapping.dmp

Download
memory/4224-139-0x0000000000000000-mapping.dmp

Download
memory/4272-145-0x0000000000000000-mapping.dmp

Download
memory/4284-155-0x0000000000000000-mapping.dmp

Download
memory/4316-158-0x0000000002570000-0x0000000002707000-memory.dmp

Filesize
1.6MB

Download
memory/4316-208-0x0000000003640000-0x00000000036CE000-memory.dmp

Filesize
568KB

Download
memory/4316-170-0x0000000003640000-0x00000000036CE000-memory.dmp

Filesize
568KB

Download
memory/4316-181-0x0000000002570000-0x0000000002707000-memory.dmp

Filesize
1.6MB

Download
memory/4316-148-0x0000000000000000-mapping.dmp

Download
memory/4316-171-0x0000000003A00000-0x0000000003A49000-memory.dmp

Filesize
292KB

Download
memory/4424-201-0x0000000000000000-mapping.dmp

Download
memory/4480-202-0x0000000000000000-mapping.dmp

Download
memory/4572-152-0x0000000000000000-mapping.dmp

Download
memory/4664-204-0x0000000000000000-mapping.dmp

Download
memory/4936-222-0x0000000000000000-mapping.dmp

Download
memory/4980-144-0x0000000000000000-mapping.dmp

Download
memory/4992-178-0x0000000000000000-mapping.dmp

Download
memory/5064-183-0x0000000000000000-mapping.dmp

Download