449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185

Analysis

max time kernel
103s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
Size

10.0MB
MD5

48185b9d80c6fe5b1987755507322cd6
SHA1

a3232833bc84314fe081c93864e0b4df737b90f3
SHA256

449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185
SHA512

55d0c666492ecdfccf71a2fae55c54d7eca402650cf64f049621a97f6abda8c0e1f7ae4128482016b85b7c33129a5426cd01ce6a754c017f6cfd456e44e37410
SSDEEP

196608:jbfSWxOu68KU2vzQ8aVoKPPg2mQm1wOWDjOwbcToKxQNO9U:/fEu68wzGmgo2hrFDjf4oKiO9U

Score

10^/10

bootkit evasion miner persistence trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Detectes Phoenix Miner Payload 4 IoCs

miner

Processes:

resource	yara_rule
C:\Windows\ov\svchost.exe	miner_phoenix
C:\Windows\ov\svchost.exe	miner_phoenix
behavioral2/memory/656-203-0x0000000000400000-0x0000000000E42000-memory.dmp	miner_phoenix
behavioral2/memory/656-206-0x0000000000400000-0x0000000000E42000-memory.dmp	miner_phoenix

Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

4784 netsh.exe
376 netsh.exe

pid	process
4784	netsh.exe
376	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe

Executes dropped EXE 3 IoCs

Processes:

rar.exesvchost.exe7za.exe

pid process

3908 rar.exe
656 svchost.exe
2328 7za.exe
Loads dropped DLL 5 IoCs

Processes:

svchost.exe449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe

pid process

656 svchost.exe
656 svchost.exe
4632 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
656 svchost.exe
656 svchost.exe

pid	process
3908	rar.exe
656	svchost.exe
2328	7za.exe

pid	process
656	svchost.exe
656	svchost.exe
4632	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
656	svchost.exe
656	svchost.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\ov\nrov.dll	upx
C:\Windows\ov\nrov.dll	upx
C:\Program Files\ov\getov.dll	upx
C:\Program Files\ov\getov.dll	upx
C:\Program Files\ov\getov.dll	upx
behavioral2/memory/4632-201-0x0000000000400000-0x00000000006B1000-memory.dmp	upx
behavioral2/memory/656-202-0x0000000007C00000-0x0000000007FA0000-memory.dmp	upx
behavioral2/memory/656-204-0x0000000007C00000-0x0000000007FA0000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

svchost.exe

description ioc process

File opened (read-only) \??\E: svchost.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

svchost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 svchost.exe
Drops file in Program Files directory 1 IoCs

Processes:

449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe

description ioc process

File created C:\Program Files\ov\getov.dll 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

description	ioc	process
File opened (read-only)	\??\E:	svchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	svchost.exe

description	ioc	process
File created	C:\Program Files\ov\getov.dll	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe

Drops file in Windows directory 16 IoCs

Processes:

rar.exeexpand.exe449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exesvchost.exe

description	ioc	process
File created	C:\Windows\ov\svchost.exe	rar.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\ov\qskg.config	rar.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\gconfig.ini	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
File opened for modification	C:\Windows\ov\rar.exe	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
File created	C:\Windows\ov\ov.rar	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
File created	C:\Windows\ov\nrov.dll	rar.exe
File opened for modification	C:\Windows\ov\nrov.dll	rar.exe
File created	C:\Windows\ov\qskg.config	rar.exe
File opened for modification	C:\Windows\ov\ov.rar	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
File created	C:\Windows\ov\qskg.pools	svchost.exe
File opened for modification	C:\Windows\ov	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
File created	C:\Windows\ov\rar.exe	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
File opened for modification	C:\Windows\ov\svchost.exe	rar.exe
File opened for modification	C:\Windows\ov\qskg.config	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe

pid	process
4632	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
4632	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
4632	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
4632	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
4632	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
4632	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
4632	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
4632	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
4632	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
4632	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe

pid process

4632 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

svchost.exe7za.exepowercfg.exepowercfg.exe449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe

description	pid	process
Token: SeBackupPrivilege	656	svchost.exe
Token: SeSecurityPrivilege	656	svchost.exe
Token: SeSecurityPrivilege	656	svchost.exe
Token: SeSecurityPrivilege	656	svchost.exe
Token: SeSecurityPrivilege	656	svchost.exe
Token: SeSecurityPrivilege	656	svchost.exe
Token: SeSecurityPrivilege	656	svchost.exe
Token: SeRestorePrivilege	2328	7za.exe
Token: 35	2328	7za.exe
Token: SeSecurityPrivilege	2328	7za.exe
Token: SeSecurityPrivilege	2328	7za.exe
Token: SeShutdownPrivilege	3220	powercfg.exe
Token: SeCreatePagefilePrivilege	3220	powercfg.exe
Token: SeShutdownPrivilege	2936	powercfg.exe
Token: SeCreatePagefilePrivilege	2936	powercfg.exe
Token: SeShutdownPrivilege	2936	powercfg.exe
Token: SeCreatePagefilePrivilege	2936	powercfg.exe
Token: SeBackupPrivilege	656	svchost.exe
Token: SeSecurityPrivilege	656	svchost.exe
Token: SeSecurityPrivilege	656	svchost.exe
Token: SeSecurityPrivilege	656	svchost.exe
Token: SeSecurityPrivilege	656	svchost.exe
Token: SeSecurityPrivilege	656	svchost.exe
Token: SeSecurityPrivilege	656	svchost.exe
Token: SeDebugPrivilege	4632	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

svchost.exe7za.exe

pid process

656 svchost.exe
656 svchost.exe
2328 7za.exe

pid	process
656	svchost.exe
656	svchost.exe
2328	7za.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 4632 wrote to memory of 2208	4632	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe	cmd.exe
PID 4632 wrote to memory of 2208	4632	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe	cmd.exe
PID 2208 wrote to memory of 3908	2208	cmd.exe	rar.exe
PID 2208 wrote to memory of 3908	2208	cmd.exe	rar.exe
PID 2208 wrote to memory of 3908	2208	cmd.exe	rar.exe
PID 4632 wrote to memory of 4128	4632	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe	cmd.exe
PID 4632 wrote to memory of 4128	4632	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe	cmd.exe
PID 4128 wrote to memory of 4784	4128	cmd.exe	netsh.exe
PID 4128 wrote to memory of 4784	4128	cmd.exe	netsh.exe
PID 4632 wrote to memory of 656	4632	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe	svchost.exe
PID 4632 wrote to memory of 656	4632	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe	svchost.exe
PID 4128 wrote to memory of 376	4128	cmd.exe	netsh.exe
PID 4128 wrote to memory of 376	4128	cmd.exe	netsh.exe
PID 656 wrote to memory of 1352	656	svchost.exe	expand.exe
PID 656 wrote to memory of 1352	656	svchost.exe	expand.exe
PID 656 wrote to memory of 2328	656	svchost.exe	7za.exe
PID 656 wrote to memory of 2328	656	svchost.exe	7za.exe
PID 656 wrote to memory of 2328	656	svchost.exe	7za.exe
PID 656 wrote to memory of 2936	656	svchost.exe	powercfg.exe
PID 656 wrote to memory of 2936	656	svchost.exe	powercfg.exe
PID 656 wrote to memory of 3220	656	svchost.exe	powercfg.exe
PID 656 wrote to memory of 3220	656	svchost.exe	powercfg.exe
PID 4632 wrote to memory of 656	4632	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe	svchost.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

C:\Users\Admin\AppData\Local\Temp\449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
"C:\Users\Admin\AppData\Local\Temp\449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\SYSTEM32\cmd.exe
cmd /c rar x -ep2 -y ov.rar & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\ov\rar.exe
rar x -ep2 -y ov.rar
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name=ov dir=out & netsh advfirewall firewall add rule name=ov dir=out action=block program=C:\Windows\ov\svchost.exe remoteip=0.0.0.0-255.255.255.255 & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\system32\netsh.exe
netsh advfirewall firewall delete rule name=ov dir=out
3⤵
- Modifies Windows Firewall
PID:4784

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name=ov dir=out action=block program=C:\Windows\ov\svchost.exe remoteip=0.0.0.0-255.255.255.255
3⤵
- Modifies Windows Firewall
PID:376

C:\Windows\ov\svchost.exe
"C:\Windows\ov\svchost.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:656

C:\Windows\SYSTEM32\expand.exe
expand "C:\Users\Admin\AppData\Roaming\qskg\\qskg.tmp" "C:\Users\Admin\AppData\Roaming\qskg\\7za.exe"
3⤵
- Drops file in Windows directory
PID:1352

C:\Users\Admin\AppData\Roaming\qskg\7za.exe
"C:\Users\Admin\AppData\Roaming\qskg\\7za.exe" x "C:\Users\Admin\AppData\Roaming\qskg\\qskg.tmp" -y -o"C:\Users\Admin\AppData\Roaming\qskg\"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2328

C:\Windows\SYSTEM32\powercfg.exe
powercfg -h off
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\SYSTEM32\powercfg.exe
powercfg -x -standby-timeout-ac 000
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Bootkit

T1067

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ov\getov.dll
Filesize
864KB

MD5
2a9c389b9fd376ecc40f591565531e9e

SHA1
59d5b8aba37a710dbb7926f0cb1561c672a59b96

SHA256
0569b96d8b717a0af32cbb4ad155c42da1eb3180e727fd123df54612ecc1eff9

SHA512
bff25a75559c70da7d7918afb7575ad64d5d08d8febb04f8987c0743a07857d305683a6975b1003ec2c3d6ccb92f7e5a171972c6bb22e532f25443021631b1d1

Download Submit
C:\Program Files\ov\getov.dll
Filesize
864KB

MD5
2a9c389b9fd376ecc40f591565531e9e

SHA1
59d5b8aba37a710dbb7926f0cb1561c672a59b96

SHA256
0569b96d8b717a0af32cbb4ad155c42da1eb3180e727fd123df54612ecc1eff9

SHA512
bff25a75559c70da7d7918afb7575ad64d5d08d8febb04f8987c0743a07857d305683a6975b1003ec2c3d6ccb92f7e5a171972c6bb22e532f25443021631b1d1

Download Submit
C:\Program Files\ov\getov.dll
Filesize
864KB

MD5
2a9c389b9fd376ecc40f591565531e9e

SHA1
59d5b8aba37a710dbb7926f0cb1561c672a59b96

SHA256
0569b96d8b717a0af32cbb4ad155c42da1eb3180e727fd123df54612ecc1eff9

SHA512
bff25a75559c70da7d7918afb7575ad64d5d08d8febb04f8987c0743a07857d305683a6975b1003ec2c3d6ccb92f7e5a171972c6bb22e532f25443021631b1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\autB200.tmp
Filesize
3.9MB

MD5
87099260c00a3891fd96f2a92e31308f

SHA1
7ea1edf45d0bef3fdef52da5b635462461735eb9

SHA256
c500f72e837e48fdb85e3881311a7e10d038c5020598edbf645cb0f125df4f73

SHA512
a04a842fa30c15a9f8b830a9dc1d184c38d44dcd517e7bd5f4891a3b52938e7d457a17603b0fd8df36a580ae39e1b172cf2357a3ea943b108a0f77cd175fa449

Download Submit
C:\Users\Admin\AppData\Roaming\qskg\7za.exe
Filesize
676KB

MD5
2e3309647ce678ca313fe3825a57ccb9

SHA1
792fdeccddd3cc182eac3a1ecd7affe5b48262c8

SHA256
e6855553350fa6fb23e05839c7f3ef140dad29d9a0e3495de4d1b17a9fbf5ca4

SHA512
5eb2af380fed7117d45232d42dec4d05a6f4f6cd6c7d03583c181b235344ea922290b6e0bf6b9683592bccc0f4a3b2b9b9fd7d41fbfebf1045bd95b027539dbc

Download Submit
C:\Users\Admin\AppData\Roaming\qskg\7za.exe
Filesize
676KB

MD5
2e3309647ce678ca313fe3825a57ccb9

SHA1
792fdeccddd3cc182eac3a1ecd7affe5b48262c8

SHA256
e6855553350fa6fb23e05839c7f3ef140dad29d9a0e3495de4d1b17a9fbf5ca4

SHA512
5eb2af380fed7117d45232d42dec4d05a6f4f6cd6c7d03583c181b235344ea922290b6e0bf6b9683592bccc0f4a3b2b9b9fd7d41fbfebf1045bd95b027539dbc

Download Submit
C:\Users\Admin\AppData\Roaming\qskg\pcid_x64.dll
Filesize
207KB

MD5
bf53fdbae95f8e912865c25e1787e660

SHA1
3397cd69bdfa9ddaccb36e4b0cfe089b1be81174

SHA256
e0fed7e42068d42b913773ca1ed8cdc1ea53a85b811aefcb89ecd7b9a68f7dcc

SHA512
59876642809061d18eb7f7ba864898245593c6fd8c12c340e937e317de49eddbde4757fc2c864349217ce5ac96c08cbbb9c77dba4685240ecb35b462d40437dc

Download Submit
C:\Users\Admin\AppData\Roaming\qskg\pcid_x64.dll
Filesize
207KB

MD5
bf53fdbae95f8e912865c25e1787e660

SHA1
3397cd69bdfa9ddaccb36e4b0cfe089b1be81174

SHA256
e0fed7e42068d42b913773ca1ed8cdc1ea53a85b811aefcb89ecd7b9a68f7dcc

SHA512
59876642809061d18eb7f7ba864898245593c6fd8c12c340e937e317de49eddbde4757fc2c864349217ce5ac96c08cbbb9c77dba4685240ecb35b462d40437dc

Download Submit
C:\Users\Admin\AppData\Roaming\qskg\pcid_x64.dll
Filesize
207KB

MD5
bf53fdbae95f8e912865c25e1787e660

SHA1
3397cd69bdfa9ddaccb36e4b0cfe089b1be81174

SHA256
e0fed7e42068d42b913773ca1ed8cdc1ea53a85b811aefcb89ecd7b9a68f7dcc

SHA512
59876642809061d18eb7f7ba864898245593c6fd8c12c340e937e317de49eddbde4757fc2c864349217ce5ac96c08cbbb9c77dba4685240ecb35b462d40437dc

Download Submit
C:\Users\Admin\AppData\Roaming\qskg\qskg.tmp
Filesize
85KB

MD5
b3a4ee7d08335917583403746e32f3d9

SHA1
d2f4761d73914756e828a899a5949ca6a6f96e5b

SHA256
0d4d9a9d57b5a8bb79f225315d050bb76e89fe79e8888c3ce62544e75b229919

SHA512
2de091071946d81ed994d3404e38d98523c6f33985890058c305e27fa9b789fc24423f4eb3d14feae8f78cceafac3e294f9cf0c6b7f63b168fb471da7e0ebfc3

Download Submit
C:\Windows\ov\nrov.dll
Filesize
1.3MB

MD5
9d7805a480ccb9fb877d7ba05b15dd9f

SHA1
bbef4eae1d880eb713823e58c8f7469c7e8a5783

SHA256
edfa30141d904b1da9de5942dc656c0dccb308c04e8786c4c08248d7f6a0394b

SHA512
ab539d58e9e0a0934ad11157713876b68a526966208f730b4ce41c2c9f6b5c18c6c092fc843ed292c83331a0ca37a0ca85e10c0c93353e7ee4970745aa7c16fe

Download Submit
C:\Windows\ov\nrov.dll
Filesize
1.3MB

MD5
9d7805a480ccb9fb877d7ba05b15dd9f

SHA1
bbef4eae1d880eb713823e58c8f7469c7e8a5783

SHA256
edfa30141d904b1da9de5942dc656c0dccb308c04e8786c4c08248d7f6a0394b

SHA512
ab539d58e9e0a0934ad11157713876b68a526966208f730b4ce41c2c9f6b5c18c6c092fc843ed292c83331a0ca37a0ca85e10c0c93353e7ee4970745aa7c16fe

Download Submit
C:\Windows\ov\ov.rar
Filesize
3.9MB

MD5
87099260c00a3891fd96f2a92e31308f

SHA1
7ea1edf45d0bef3fdef52da5b635462461735eb9

SHA256
c500f72e837e48fdb85e3881311a7e10d038c5020598edbf645cb0f125df4f73

SHA512
a04a842fa30c15a9f8b830a9dc1d184c38d44dcd517e7bd5f4891a3b52938e7d457a17603b0fd8df36a580ae39e1b172cf2357a3ea943b108a0f77cd175fa449

Download Submit
C:\Windows\ov\qskg.config
Filesize
787B

MD5
5ada09545331f33ba9833b4c2f320014

SHA1
941edce8cd486ecf2e69ea37f3f87650f8899cbb

SHA256
b63ee3ed578fb804f4d4bd19302e03fc02388337cc0d4124ce88ed09be6dc57b

SHA512
71140b737858a12ed4cddef2639afbb14af176c25736d313759969eb3164238050e131ee8e1e74b969b598bc4e0757685078e901235e2f074016325d4a632fa8

Download Submit
C:\Windows\ov\qskg.config
Filesize
776B

MD5
5743c538ad7506f2613dad86a09df230

SHA1
95fb7f75869d08b89393edc5f7264ded5478cd4c

SHA256
0701858cf2b46442225dfbd4dc7c059c7f7f6f092d180898a1bcfb7f0c095ae1

SHA512
527ac1f4715a1c23264a181320c53cf3438cff5d224cf9f50fa8725058f737bb1a12fc511c3596f7a0bb85a784e597e8eeda25be721560c6709d730b18cfc34f

Download Submit
C:\Windows\ov\rar.exe
Filesize
532KB

MD5
2075b20cc7b891b00ac2135909ee420c

SHA1
0e182e2ebf3befab3fbca1c1a6b080338d99abd7

SHA256
0c9f681cb5b56773636ae2211e0e49d0a89add91427c56139f2a55ff72f01bf1

SHA512
0cfda2658189cd303ed038a1443f472a6a7b4e921ae100d65d1efba544dc515308b59a8aca35a89ad605cc62890423034b7ead393cac9038d99f47041031052e

Download Submit
C:\Windows\ov\svchost.exe
Filesize
9.9MB

MD5
fe52776bea1e40791de81198fa50f9a4

SHA1
4c73c759e5131144dc82f60d385d440406230f6c

SHA256
f730cd04d180adc20a79b65aa169bd0e2671b308baf1ded12a867c52c6375e87

SHA512
ecf68170eb0ebcaa7585ecb39d025ba006f2c6f6094d520bcb5f0681e65c49090af84f1316604a9697499f023b4890663ab50d80ec3fa2a6c463f9309387f8f1

Download Submit
C:\Windows\ov\svchost.exe
Filesize
9.9MB

MD5
fe52776bea1e40791de81198fa50f9a4

SHA1
4c73c759e5131144dc82f60d385d440406230f6c

SHA256
f730cd04d180adc20a79b65aa169bd0e2671b308baf1ded12a867c52c6375e87

SHA512
ecf68170eb0ebcaa7585ecb39d025ba006f2c6f6094d520bcb5f0681e65c49090af84f1316604a9697499f023b4890663ab50d80ec3fa2a6c463f9309387f8f1

Download Submit
\??\c:\users\admin\appdata\roaming\qskg\qskg.tmp
Filesize
373KB

MD5
7d246c632d2bf4e2a7ef1a13d0940ec0

SHA1
accb19ce32802fb7e268ad43e29f919810e423f8

SHA256
b6fec99ec42bd0f01304f2ff6733752b65bee274d39bd53dd4131c277a2aac79

SHA512
63d7eb0659d19a8183d40c81b2ef705b5fd8631ff049b46088f60b2936fea4fec199669239cd9d9dd161fd232d782d78a6b59073428d5039ed35de8a53e92383

Download Submit
memory/656-158-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/656-177-0x0000000003A60000-0x0000000003A9A000-memory.dmp

Filesize
232KB

Download
memory/656-202-0x0000000007C00000-0x0000000007FA0000-memory.dmp

Filesize
3.6MB

Download
memory/656-203-0x0000000000400000-0x0000000000E42000-memory.dmp

Filesize
10.3MB

Download
memory/656-204-0x0000000007C00000-0x0000000007FA0000-memory.dmp

Filesize
3.6MB

Download
memory/656-205-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/656-206-0x0000000000400000-0x0000000000E42000-memory.dmp

Filesize
10.3MB

Download
memory/4632-201-0x0000000000400000-0x00000000006B1000-memory.dmp

Filesize
2.7MB

Download