4e7f1c3363c2c235c0ebe67a20dea81f7666a48899629dd30b27c4c919ee87e5

Resubmissions

25-05-2024 13:22

240525-qmpthaed38 7

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

6.8MB
MD5

f20c43704b8382c0f30309cc15130187
SHA1

8814c4795e177aca493535ca66d4f7bb3dc3a46a
SHA256

4e7f1c3363c2c235c0ebe67a20dea81f7666a48899629dd30b27c4c919ee87e5
SHA512

e68f2f8d78c55301b20694d4f79a2433d4d9be9bb36922d1c3a0f70db75ec7ccb0624d7bcd913709d74eb5d0c5c3aa0ba043cdae852c97d1cfb87c639c24b800
SSDEEP

98304:X/O+9yFVK/Z9sA+VdwVHBSK6FCExd+iXKcigyFucNpDNk1FBGRZCehn1tWw:PAFCgA+VdwZyCAKgQPjNkfUZCehnHWw

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4860	Setup.tmp
3336	unins000.exe
2152	_iu14D2N.tmp

Loads dropped DLL 6 IoCs

pid	Process
4860	Setup.tmp
4860	Setup.tmp
4860	Setup.tmp
4860	Setup.tmp
2152	_iu14D2N.tmp
2152	_iu14D2N.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DODI-Repacks\ELDEN RING\Uninstall\dark.png	Setup.tmp
File created	C:\Program Files (x86)\DODI-Repacks\ELDEN RING\Uninstall\unins000.dat	Setup.tmp
File opened for modification	C:\Program Files (x86)\DODI-Repacks\ELDEN RING\Uninstall\unins000.dat	Setup.tmp
File opened for modification	C:\Program Files (x86)\DODI-Repacks\ELDEN RING\Uninstall\unins000.dat	_iu14D2N.tmp
File created	C:\Program Files (x86)\DODI-Repacks\ELDEN RING\Uninstall\botva2.dll	Setup.tmp
File created	C:\Program Files (x86)\DODI-Repacks\ELDEN RING\Uninstall\light.png	Setup.tmp
File created	C:\Program Files (x86)\DODI-Repacks\ELDEN RING\Uninstall\Setup1.jpg	Setup.tmp
File created	C:\Program Files (x86)\DODI-Repacks\ELDEN RING\Uninstall\is-A3C4D.tmp	Setup.tmp
File opened for modification	C:\Program Files (x86)\DODI-Repacks\ELDEN RING\Uninstall\botva2.dll	Setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4860	Setup.tmp
4860	Setup.tmp
4608	msedge.exe
4608	msedge.exe
4072	msedge.exe
4072	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4860	Setup.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4860	Setup.tmp
2152	_iu14D2N.tmp
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 4860	1248	Setup.exe	82
PID 1248 wrote to memory of 4860	1248	Setup.exe	82
PID 1248 wrote to memory of 4860	1248	Setup.exe	82
PID 4860 wrote to memory of 3336	4860	Setup.tmp	100
PID 4860 wrote to memory of 3336	4860	Setup.tmp	100
PID 4860 wrote to memory of 3336	4860	Setup.tmp	100
PID 3336 wrote to memory of 2152	3336	unins000.exe	101
PID 3336 wrote to memory of 2152	3336	unins000.exe	101
PID 3336 wrote to memory of 2152	3336	unins000.exe	101
PID 4860 wrote to memory of 4072	4860	Setup.tmp	102
PID 4860 wrote to memory of 4072	4860	Setup.tmp	102
PID 4072 wrote to memory of 2528	4072	msedge.exe	103
PID 4072 wrote to memory of 2528	4072	msedge.exe	103
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4312	4072	msedge.exe	104
PID 4072 wrote to memory of 4608	4072	msedge.exe	105
PID 4072 wrote to memory of 4608	4072	msedge.exe	105
PID 4072 wrote to memory of 2568	4072	msedge.exe	106
PID 4072 wrote to memory of 2568	4072	msedge.exe	106
PID 4072 wrote to memory of 2568	4072	msedge.exe	106
PID 4072 wrote to memory of 2568	4072	msedge.exe	106
PID 4072 wrote to memory of 2568	4072	msedge.exe	106
PID 4072 wrote to memory of 2568	4072	msedge.exe	106
PID 4072 wrote to memory of 2568	4072	msedge.exe	106
PID 4072 wrote to memory of 2568	4072	msedge.exe	106
PID 4072 wrote to memory of 2568	4072	msedge.exe	106

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\is-AO1F1.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-AO1F1.tmp\Setup.tmp" /SL5="$701F8,6522624,227840,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Program Files (x86)\DODI-Repacks\ELDEN RING\Uninstall\unins000.exe
    "C:\Program Files (x86)\DODI-Repacks\ELDEN RING\Uninstall\unins000.exe" /verysilent
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
      "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files (x86)\DODI-Repacks\ELDEN RING\Uninstall\unins000.exe" /FIRSTPHASEWND=$20296 /verysilent
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of FindShellTrayWindow
      PID:2152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.dodi-repacks.site/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd846f46f8,0x7ffd846f4708,0x7ffd846f4718
      4⤵
      PID:2528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,12303115810103704520,1993865587730511496,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1960 /prefetch:2
      4⤵
      PID:4312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,12303115810103704520,1993865587730511496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,12303115810103704520,1993865587730511496,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
      4⤵
      PID:2568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,12303115810103704520,1993865587730511496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
      4⤵
      PID:220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,12303115810103704520,1993865587730511496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
      4⤵
      PID:4336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,12303115810103704520,1993865587730511496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
      4⤵
      PID:3680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,12303115810103704520,1993865587730511496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
      4⤵
      PID:1552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,12303115810103704520,1993865587730511496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
      4⤵
      PID:2916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DODI-Repacks\ELDEN RING\Uninstall\unins000.dat

Filesize
143KB

MD5
1e4ebe194c46302ae8f92e5764b2304d

SHA1
f5f37f6ed88adc0114ec63678ad04cb73a129928

SHA256
1f5cfc9e7533dc36e25a4b26c4aca14032aca924e4ad68d3d8a04e83bf932564

SHA512
60c966aaa5c82abff67316f175116f42988696de57f7bdd9bebe07fbbf107cb3ca5e1a2767a3a6a0d56f7d55c64c3e8a1b64c8eea85e1835196db2e37e706ff4

Download Submit
C:\Program Files (x86)\DODI-Repacks\ELDEN RING\Uninstall\unins000.exe

Filesize
1.5MB

MD5
937c41506c19aed3a8381ba723e519ce

SHA1
0022dbb7c039ab147d964da59d799260b376575f

SHA256
c3a320c39063bc3d6b07c91e91c8d11ffbc9fda338796fba89d54341ff66a441

SHA512
c802ae6bfa992039a9974cd71a74497b4eb21af9d27d6cff49fe63afc4f084de35b38fe39f77db3d45189a53cccf820b10f29ca43da122eda9ac57067706970f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
ef10bc897076c1c2b129ffc63c2ed6a3

SHA1
63d3c8ea0ee8e495e23216c432db74e854302afb

SHA256
21cfd3cb18bc212ebb3c5548e3029754011620d2d479b54410edc2e33e44acfa

SHA512
356e5af48654e75b7569306e322011e84419e2052fc1360e380f0032720048fb958132d6f05ab8b96a43335a85dae8161f589e28e0ab612109e64b7d44139fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
561B

MD5
0b93e1d8db401c57f167ad03608be1c3

SHA1
34e229cc0fc3b0050272c289889e4c9985609c86

SHA256
860c2c533a85735aaba1cec65dc1dc2d5990f9ca21c095a489ab4bbec4b49346

SHA512
3061dc4eae73a5e03124967abf01c44ca7672294ba8c32d854fa79e36e907bf1b989af974e7d46826e01d6381e23d68a111382f62b16e2806b50173e6e9a2cd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
665606057704dd2004442dcc7986fb04

SHA1
8b263c703cbd9525c40cd6414935fe6a02efb4b7

SHA256
b19bd781ceff22934adc0701ea4a7016eb01a5dc053c5d541e0d86a20202895c

SHA512
885fda2b67734d47f075aaef0a32b9f2798da1104b75f9bff4bc94303b2d843e8a0ce289f3826df1bd35dfb2e0dcf5649aa5ada6d45df2737d1af717cf858ae9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d4e3ed52f78833b60151ce012a2a1991

SHA1
c3abe492dc4cac147e283c50bd56d9ba496b3d23

SHA256
32526eab35a6c093f00657b6b5d610f4e8275ff8101af4f4eaf8eaad7af60e91

SHA512
fa03903a911e8692f4bac249227b5d254799bf3a27991cfcbccc752e8679674f594e833e6f32cf3a949dd7bf50bc45693375e51222f30f202ee3f2a82a9e042e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
75eaf26b9b93bcd38992ab046023b698

SHA1
96320d1fb18f5e201eb47379680f7405630842c8

SHA256
1707d7ed345dbc0100d77936399023a26275447ef312cde6719e70eba980e7ce

SHA512
599d16f0c1cdb5f27676d1ca1cc099a4781e43f7eeb09f2000136a92f5c781f9f166ce2e7b01647d7b720d74621f8fde55e5c3803da2af7d45fe4762bd912757

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1KJOC.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AO1F1.tmp\Setup.tmp

Filesize
1.5MB

MD5
6e4e83302159ec46e10280abe1d62ce1

SHA1
eb439d7b73e64605eb9f37b9b057722861ada267

SHA256
bb22238b9de45d10013cdf18b66d13646137bf5ddc075c781a160ef8739b2fd7

SHA512
22331088377154be8b11825c95c1a2a8765d71c3394714faed00a6185ab84afac63ae95103f20f1a9e4fe447259976734e1bd905e4a45bbe0567cee5241f1033

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHQTD.tmp\Autorun1.jpg

Filesize
191KB

MD5
3688f2762ff4a7eb53589dd5d5696fb6

SHA1
d7616fb8cda1710b1e2279514da5d801c21cf7c1

SHA256
f0bdd416ad9ba0914629c288a806c2087e7ecad5b382d911aa1b4bc2dfd3f448

SHA512
d8462989722e6f40e256b144321e48e86aff248a375b552d2a17d709bf772315e3c0e73aae4fecb51028fd3f681c501b6f6b72dfa2f1d851b03df0e4f2a819d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHQTD.tmp\Dark.png

Filesize
65KB

MD5
185d31c702a861fd7026c693513eb3fb

SHA1
4857cba77bce860ee34df70d2ed06ac51958b53f

SHA256
56e1b926b344ef760fea6a4fd862e066ea5295f7e5671fc7c0d1f1bc148e2009

SHA512
9cabac5d73a9dada0d809fdfbbb552c105d0de975a545fef70322b8c86b001691af6e2dc58e980343342a953bed12d91553dc253928cd6357836b6aaf5efb8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHQTD.tmp\Exit.png

Filesize
9KB

MD5
91f97aa4b051e7b2991e5456d2c8655b

SHA1
901dd406613f3e97d8d6141bb061b242a3b5fb4f

SHA256
0ff3fbfbb177d5ffc8b577f821a91f9d39f13f5f548f9570c12cb85ccef526e3

SHA512
b664f7aff75308d416c9e479bbd9a9b840816d41fb1dc218187c01636e443c4c7976a635459f626f971961c89d0b8e3c91bb0d61940e487a36179437fb0aa296

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHQTD.tmp\ISDone.dll

Filesize
452KB

MD5
4feafa8b5e8cdb349125c8af0ac43974

SHA1
7f17e5e1b088fc73690888b215962fbcd395c9bd

SHA256
bb8a0245dcc5c10a1c7181bad509b65959855009a8105863ef14f2bb5b38ac71

SHA512
d63984ee385b4f1eba8e590d6de4f082fb0121689295ec6e496539209459152465f6db09e6d8f92eec996a89fc40432077cbfa807beb2de7f375154fef6554bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHQTD.tmp\Install.png

Filesize
22KB

MD5
3a104b9ff4b59bba6dc3b30114c5b31b

SHA1
3a03ebe2b3ff5d4bac88355c82a86da3bb30cfde

SHA256
1a72008c2393b330c3a9e05bcba070e538d9d5078767adc49a86a05473226ced

SHA512
8d4d985d5003b2b7739c9f5549b8ea143adcfa78188fea45de49a73f82dd1e88709ef35a62bdcfdf360a1d3face0cb40fb8ff782d15f5081127dd6121a7e0289

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHQTD.tmp\Light.png

Filesize
56KB

MD5
5036fbdd45fec2ad2f18c0fa51a584be

SHA1
83c012dd5808248e27b611ad921d729e230cfaf7

SHA256
9813c13b925ca95d4038c827e5efa1bf6c00aed41c65b7e7d5907ddf68866847

SHA512
7c554d62e09410c4ae9a6cc02102ec618a35e93c2c74cb59b26e9c5d0bc4eee68a12c051c30cbef1c7c6ea5730e67ec551a3548834f1251e01bbb4bd561e7736

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHQTD.tmp\Lockscreen.jpg

Filesize
197KB

MD5
3613f0066ece2af9afc564088fff27e3

SHA1
170650b018b5b9efa0e5591520bad8beeb2db2ca

SHA256
2e68cb653fc1311241bc31dd06432492d1130d409a8dcfbcb7fe1a6cba6e57bd

SHA512
f02a4b12a8a4b6cee2a31c66e2cf8b6921739c664f332e7ad705f2c16b1ac0fa748dd619de15039f1fc06ede78f86f20eeef7b3575f7c38963b048bbc580219e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHQTD.tmp\Lockscreen_overlay.png

Filesize
77KB

MD5
f5f4fe2b811e5a07ae1184579cf36557

SHA1
9ae1594e259f1aa06734c8653796596113f2d08b

SHA256
d66bbf3a8d5f5890c3dbc95e77068abb10f3db4ebd0c71ae5dbf15d99174889c

SHA512
eded97ed79f84916e5727f83e170f3999478df537bebe39767c49a3bedf4c86cd5bc3dcfd5d767559b9333ce9e06bddeceb96469e5a70eaae47145a838438f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHQTD.tmp\Setup1.jpg

Filesize
192KB

MD5
05c02eab0b5c8ad19446dd4e61fd986c

SHA1
f96fdc843d24e13d06a380261e3793312cf454a4

SHA256
ba74eefdbca7362751cdf774c0e03052d6ec8fd6f2733e7d43a1f9e88a1ab284

SHA512
484ed7561caeacda6f529f7334f5a034c0725b1ab14ec255f519dc7694e019474943a66dd1f5b01c0821fca2836160647d0dde3069a1b559123d7b1e78918f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHQTD.tmp\Tile1_Background.jpg

Filesize
267KB

MD5
5e25fc73867c51bb749fa958b7c04fdf

SHA1
7c670bca631e94b46b33f50f1b8ec9d9d203898e

SHA256
36cf201c5171646a151b7ff5518078d6068f5437b52557784e4163a8e87a13a1

SHA512
e49b15ca8c190eb45a3920f87d652ef9ede95c1b68d48d99e8445373f875d5991fd1320106d2d2130d51484852ade59348b343296be285e127a2d18c3bbbaab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHQTD.tmp\Tile1_Icon1.png

Filesize
19KB

MD5
bb562c499c7bebaf0c0b0869f3833538

SHA1
4de593260cc4833ee3f903e122b39cd346bb1439

SHA256
5a497b1f9789ff32c31c033d660e45bf0a2f543a5a7b5e96e3cf4cbedbdbcf4f

SHA512
648fe2673dfcb1c679a7f0d9b2c39c5c1166efffdfa473d8bb517d2a7b12733297f8ac30e3b4bb1d6c3bac9d45eebe2199d8db1529dbfaf3f4640c42a60808a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHQTD.tmp\Uninstall.png

Filesize
9KB

MD5
1dbec7e15bb3fe912ea362c7f5305cb8

SHA1
8ee2dca3f834cd7809dd50681bb432fa17f982f6

SHA256
43bfe50a575e87237abe4f65eee18b23e667c0a6c9fa1fd6fc2176948edfa527

SHA512
dc46536df17a17410a4aa2b6afaee9a620612e23498d009e766411bf2d17c87da0ac3b3f5a950375c34f4355f6b2924dfdc99c52102e1e702fd55f29333fc55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHQTD.tmp\botva2.dll

Filesize
37KB

MD5
619bf9ddcb5fe39ee9e5b0167e7f4f0d

SHA1
6da8c0d2407d5221172765b00452efa0f361902f

SHA256
609661a14733f6e9c2c2f2ff9c274f8a4cbedaff4dd32049aa5161f8d7083d6a

SHA512
a89fc731805e83f889f408fe3fea769d0e44faf1e1dd37d3569bbf57a6086b1ffc8783778e0be8236447c7661c44051b2d4b1d3a643f7ebc35f6ef0625c6897a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHQTD.tmp\logo.png

Filesize
253B

MD5
5b97ed539eefa61a38c5d8bd75ba431e

SHA1
fddf8d18f7c9db64c85f5d7570fc3dbaac03bfe6

SHA256
b0034f812ff8f9a71d5e2b21ed1630ace13fe24d70cf558573a4204fb7ed96d3

SHA512
9ae322311d28d09e46c92b1ed4bf91c2f11e7d22dc6c2c16498c5e6e960d0e3062169876da4fddb3ef2cca5384b22f213c4380ec85d83ff4d29717e59bb31f08

Download Submit
memory/1248-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1248-82-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1248-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/1248-309-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2152-235-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2152-215-0x00000000021B0000-0x00000000021BF000-memory.dmp

Filesize
60KB

Download
memory/3336-226-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/3336-196-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/4860-192-0x0000000003240000-0x00000000032B7000-memory.dmp

Filesize
476KB

Download
memory/4860-84-0x0000000003240000-0x00000000032B7000-memory.dmp

Filesize
476KB

Download
memory/4860-127-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/4860-308-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/4860-85-0x00000000033D0000-0x00000000033DF000-memory.dmp

Filesize
60KB

Download
memory/4860-125-0x00000000033D0000-0x00000000033DF000-memory.dmp

Filesize
60KB

Download
memory/4860-83-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/4860-123-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/4860-35-0x00000000033D0000-0x00000000033DF000-memory.dmp

Filesize
60KB

Download
memory/4860-16-0x0000000003240000-0x00000000032B7000-memory.dmp

Filesize
476KB

Download
memory/4860-7-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/4860-190-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download