7279a86c5d2e4229a197b344ba1de7a8010d92bef391a4a4b0071153e8624e8b

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quickq-setup.exe
Size

125.5MB
MD5

e87ffa1c871af8d4ff0fc61488069cb7
SHA1

ee853e1eb7a3605f22ebf45257fc5364fb5368ff
SHA256

7279a86c5d2e4229a197b344ba1de7a8010d92bef391a4a4b0071153e8624e8b
SHA512

d7eec65406295f3565d339f5f10102a5fc234647a76e23322eea7672d670a8edebb6192b05d691801bc7a3cadc47a021d2e66373327951ac72c7f7b20026ce61
SSDEEP

3145728:QT7e6GreS1e3aoeAmloP6AxVmsOQq9x/tDkIH1l2uw4Dc:bULzmUBx3sjB9gD4Y

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4136	MSIA2A0.tmp
1580	win32-quickq.exe
1404	MSIA689.tmp
4372	WindowsProgram.exe

Loads dropped DLL 22 IoCs

pid	Process
4904	MsiExec.exe
4904	MsiExec.exe
4740	MsiExec.exe
4740	MsiExec.exe
4740	MsiExec.exe
4740	MsiExec.exe
4740	MsiExec.exe
4740	MsiExec.exe
1580	win32-quickq.exe
1580	win32-quickq.exe
1580	win32-quickq.exe
1580	win32-quickq.exe
1580	win32-quickq.exe
1580	win32-quickq.exe
1580	win32-quickq.exe
1580	win32-quickq.exe
1580	win32-quickq.exe
1580	win32-quickq.exe
1580	win32-quickq.exe
1580	win32-quickq.exe
1580	win32-quickq.exe
1580	win32-quickq.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsProgram.exe"	WindowsProgram.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	quickq-setup.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	WindowsProgram.exe
File opened (read-only)	\??\M:	quickq-setup.exe
File opened (read-only)	\??\S:	quickq-setup.exe
File opened (read-only)	\??\T:	quickq-setup.exe
File opened (read-only)	\??\X:	quickq-setup.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	WindowsProgram.exe
File opened (read-only)	\??\V:	WindowsProgram.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	WindowsProgram.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	quickq-setup.exe
File opened (read-only)	\??\I:	quickq-setup.exe
File opened (read-only)	\??\P:	quickq-setup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	quickq-setup.exe
File opened (read-only)	\??\N:	quickq-setup.exe
File opened (read-only)	\??\U:	quickq-setup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	WindowsProgram.exe
File opened (read-only)	\??\Z:	WindowsProgram.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	quickq-setup.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	WindowsProgram.exe
File opened (read-only)	\??\Y:	WindowsProgram.exe
File opened (read-only)	\??\Q:	quickq-setup.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	quickq-setup.exe
File opened (read-only)	\??\J:	quickq-setup.exe
File opened (read-only)	\??\O:	quickq-setup.exe
File opened (read-only)	\??\V:	quickq-setup.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	WindowsProgram.exe
File opened (read-only)	\??\R:	quickq-setup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	WindowsProgram.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Default.key	WindowsProgram.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs

pid	Process
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI953C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI960A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI961B.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI956D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A5BBA976-4B07-4766-95EA-8521D8C0711D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA689.tmp	msiexec.exe
File created	C:\Windows\Installer\e57949f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI950C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI955C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57949f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA109.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA2A0.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quickq-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIA2A0.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsProgram.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win32-quickq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIA689.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WindowsProgram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WindowsProgram.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
9160	taskkill.exe
10296	taskkill.exe
4104	taskkill.exe
9056	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 35 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 540031000000000014597b721000517569636b5100003e0009000400efbe14597472145980722e00000099340200000007000000000000000000000000000000c612310151007500690063006b005100000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000025980631100557365727300640009000400efbe874f7748145968722e000000c70500000000010000000000000000003a00000000004b9dfd0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000001459747210004c6f63616c003c0009000400efbe02598063145974722e00000094e10100000001000000000000000000000000000000489816014c006f00630061006c00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 500031000000000002596a6c100041646d696e003c0009000400efbe02598063145968722e00000076e1010000000100000000000000000000000000000030663700410064006d0069006e00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000000259806312004170704461746100400009000400efbe02598063145968722e00000081e10100000001000000000000000000000000000000f7ecec004100700070004400610074006100000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5776	explorer.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1532	msiexec.exe
1532	msiexec.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe
4372	WindowsProgram.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1532	msiexec.exe
Token: SeCreateTokenPrivilege	4312	quickq-setup.exe
Token: SeAssignPrimaryTokenPrivilege	4312	quickq-setup.exe
Token: SeLockMemoryPrivilege	4312	quickq-setup.exe
Token: SeIncreaseQuotaPrivilege	4312	quickq-setup.exe
Token: SeMachineAccountPrivilege	4312	quickq-setup.exe
Token: SeTcbPrivilege	4312	quickq-setup.exe
Token: SeSecurityPrivilege	4312	quickq-setup.exe
Token: SeTakeOwnershipPrivilege	4312	quickq-setup.exe
Token: SeLoadDriverPrivilege	4312	quickq-setup.exe
Token: SeSystemProfilePrivilege	4312	quickq-setup.exe
Token: SeSystemtimePrivilege	4312	quickq-setup.exe
Token: SeProfSingleProcessPrivilege	4312	quickq-setup.exe
Token: SeIncBasePriorityPrivilege	4312	quickq-setup.exe
Token: SeCreatePagefilePrivilege	4312	quickq-setup.exe
Token: SeCreatePermanentPrivilege	4312	quickq-setup.exe
Token: SeBackupPrivilege	4312	quickq-setup.exe
Token: SeRestorePrivilege	4312	quickq-setup.exe
Token: SeShutdownPrivilege	4312	quickq-setup.exe
Token: SeDebugPrivilege	4312	quickq-setup.exe
Token: SeAuditPrivilege	4312	quickq-setup.exe
Token: SeSystemEnvironmentPrivilege	4312	quickq-setup.exe
Token: SeChangeNotifyPrivilege	4312	quickq-setup.exe
Token: SeRemoteShutdownPrivilege	4312	quickq-setup.exe
Token: SeUndockPrivilege	4312	quickq-setup.exe
Token: SeSyncAgentPrivilege	4312	quickq-setup.exe
Token: SeEnableDelegationPrivilege	4312	quickq-setup.exe
Token: SeManageVolumePrivilege	4312	quickq-setup.exe
Token: SeImpersonatePrivilege	4312	quickq-setup.exe
Token: SeCreateGlobalPrivilege	4312	quickq-setup.exe
Token: SeCreateTokenPrivilege	4312	quickq-setup.exe
Token: SeAssignPrimaryTokenPrivilege	4312	quickq-setup.exe
Token: SeLockMemoryPrivilege	4312	quickq-setup.exe
Token: SeIncreaseQuotaPrivilege	4312	quickq-setup.exe
Token: SeMachineAccountPrivilege	4312	quickq-setup.exe
Token: SeTcbPrivilege	4312	quickq-setup.exe
Token: SeSecurityPrivilege	4312	quickq-setup.exe
Token: SeTakeOwnershipPrivilege	4312	quickq-setup.exe
Token: SeLoadDriverPrivilege	4312	quickq-setup.exe
Token: SeSystemProfilePrivilege	4312	quickq-setup.exe
Token: SeSystemtimePrivilege	4312	quickq-setup.exe
Token: SeProfSingleProcessPrivilege	4312	quickq-setup.exe
Token: SeIncBasePriorityPrivilege	4312	quickq-setup.exe
Token: SeCreatePagefilePrivilege	4312	quickq-setup.exe
Token: SeCreatePermanentPrivilege	4312	quickq-setup.exe
Token: SeBackupPrivilege	4312	quickq-setup.exe
Token: SeRestorePrivilege	4312	quickq-setup.exe
Token: SeShutdownPrivilege	4312	quickq-setup.exe
Token: SeDebugPrivilege	4312	quickq-setup.exe
Token: SeAuditPrivilege	4312	quickq-setup.exe
Token: SeSystemEnvironmentPrivilege	4312	quickq-setup.exe
Token: SeChangeNotifyPrivilege	4312	quickq-setup.exe
Token: SeRemoteShutdownPrivilege	4312	quickq-setup.exe
Token: SeUndockPrivilege	4312	quickq-setup.exe
Token: SeSyncAgentPrivilege	4312	quickq-setup.exe
Token: SeEnableDelegationPrivilege	4312	quickq-setup.exe
Token: SeManageVolumePrivilege	4312	quickq-setup.exe
Token: SeImpersonatePrivilege	4312	quickq-setup.exe
Token: SeCreateGlobalPrivilege	4312	quickq-setup.exe
Token: SeCreateTokenPrivilege	4312	quickq-setup.exe
Token: SeAssignPrimaryTokenPrivilege	4312	quickq-setup.exe
Token: SeLockMemoryPrivilege	4312	quickq-setup.exe
Token: SeIncreaseQuotaPrivilege	4312	quickq-setup.exe
Token: SeMachineAccountPrivilege	4312	quickq-setup.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4312	quickq-setup.exe
1300	msiexec.exe
1300	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1580	win32-quickq.exe
5776	explorer.exe
5776	explorer.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 4904	1532	msiexec.exe	89
PID 1532 wrote to memory of 4904	1532	msiexec.exe	89
PID 1532 wrote to memory of 4904	1532	msiexec.exe	89
PID 4312 wrote to memory of 1300	4312	quickq-setup.exe	90
PID 4312 wrote to memory of 1300	4312	quickq-setup.exe	90
PID 4312 wrote to memory of 1300	4312	quickq-setup.exe	90
PID 1532 wrote to memory of 4740	1532	msiexec.exe	91
PID 1532 wrote to memory of 4740	1532	msiexec.exe	91
PID 1532 wrote to memory of 4740	1532	msiexec.exe	91
PID 1532 wrote to memory of 4136	1532	msiexec.exe	92
PID 1532 wrote to memory of 4136	1532	msiexec.exe	92
PID 1532 wrote to memory of 4136	1532	msiexec.exe	92
PID 1532 wrote to memory of 1404	1532	msiexec.exe	96
PID 1532 wrote to memory of 1404	1532	msiexec.exe	96
PID 1532 wrote to memory of 1404	1532	msiexec.exe	96
PID 1580 wrote to memory of 10296	1580	win32-quickq.exe	104
PID 1580 wrote to memory of 10296	1580	win32-quickq.exe	104
PID 1580 wrote to memory of 10296	1580	win32-quickq.exe	104
PID 1580 wrote to memory of 4104	1580	win32-quickq.exe	106
PID 1580 wrote to memory of 4104	1580	win32-quickq.exe	106
PID 1580 wrote to memory of 4104	1580	win32-quickq.exe	106
PID 1580 wrote to memory of 9056	1580	win32-quickq.exe	108
PID 1580 wrote to memory of 9056	1580	win32-quickq.exe	108
PID 1580 wrote to memory of 9056	1580	win32-quickq.exe	108
PID 1580 wrote to memory of 9160	1580	win32-quickq.exe	110
PID 1580 wrote to memory of 9160	1580	win32-quickq.exe	110
PID 1580 wrote to memory of 9160	1580	win32-quickq.exe	110
PID 1580 wrote to memory of 8924	1580	win32-quickq.exe	112
PID 1580 wrote to memory of 8924	1580	win32-quickq.exe	112
PID 1580 wrote to memory of 8924	1580	win32-quickq.exe	112
PID 1580 wrote to memory of 8864	1580	win32-quickq.exe	114
PID 1580 wrote to memory of 8864	1580	win32-quickq.exe	114
PID 1580 wrote to memory of 8864	1580	win32-quickq.exe	114
PID 1580 wrote to memory of 7500	1580	win32-quickq.exe	118
PID 1580 wrote to memory of 7500	1580	win32-quickq.exe	118
PID 1580 wrote to memory of 7500	1580	win32-quickq.exe	118
PID 1580 wrote to memory of 7584	1580	win32-quickq.exe	121
PID 1580 wrote to memory of 7584	1580	win32-quickq.exe	121
PID 1580 wrote to memory of 7584	1580	win32-quickq.exe	121
PID 1580 wrote to memory of 6080	1580	win32-quickq.exe	124
PID 1580 wrote to memory of 6080	1580	win32-quickq.exe	124
PID 1580 wrote to memory of 6080	1580	win32-quickq.exe	124

C:\Users\Admin\AppData\Local\Temp\quickq-setup.exe
"C:\Users\Admin\AppData\Local\Temp\quickq-setup.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\QuickQ\QuickQ 6.0.137.0\install\quickq-setup.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\quickq-setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1723922935 " AI_EUIMSI=""
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:1300

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3C3FD60BE8019E8E7A486022FC5B848A C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4904
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FB0E07A203B488F7154DDF5D56C7A4E2
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4740
- C:\Windows\Installer\MSIA2A0.tmp
  "C:\Windows\Installer\MSIA2A0.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\win32-quickq.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4136
- C:\Windows\Installer\MSIA689.tmp
  "C:\Windows\Installer\MSIA689.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\WindowsProgram.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1404

C:\Users\Admin\AppData\Local\Temp\win32-quickq.exe
"C:\Users\Admin\AppData\Local\Temp\win32-quickq.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -F -IM quickq.exe -t
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:10296
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -F -IM quickq-browser.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4104
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -F -IM typeperf.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:9056
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -F -IM quickqservice-*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:9160
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c copy "C:\Users\Admin\AppData\Local\QuickQ\User Data\Default\cache.dat" "C:\Users\Admin\AppData\Local\QuickQ\cachebak.dat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c copy "C:\Users\Admin\AppData\Local\QuickQ\User Data\Default\cache6.dat" "C:\Users\Admin\AppData\Local\QuickQ\cachebak6.dat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c copy "C:\Users\Admin\AppData\Local\QuickQ\cachebak.dat" "C:\Users\Admin\AppData\Local\QuickQ\User Data\Default\cache.dat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c copy "C:\Users\Admin\AppData\Local\QuickQ\cachebak6.dat" "C:\Users\Admin\AppData\Local\QuickQ\User Data\Default\cache6.dat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7584
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe /select,"C:\Users\Admin\AppData\Local\QuickQ\QuickQ.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6080

C:\Users\Admin\AppData\Local\Temp\WindowsProgram.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsProgram.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4372

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5776

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5794a2.rbs

Filesize
421KB

MD5
763ce0800ea50fc2797b3d128d8eb475

SHA1
f63bc8f29721acd56f191a30fe81f9076ac699bb

SHA256
1a122468684c33fd9a89beb6a34b8a57c7e94a0b335c6095fd4a95278d64c142

SHA512
fcdd90e8a8ce8b991fc55e8e4835c9e5b8212d29cf43ba6e7048c2c5458327f6906cd9b0bcaff601e921fdad55ed9220d872477dc478982d35a2667ebf5f8904

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\QuickQ.exe

Filesize
2.0MB

MD5
ab0e135992a4c0676e8506f2847d5275

SHA1
44b8201033afeddab58fea80f1f662b5914434f2

SHA256
00e28fb333fdd952138c2586ab7d698a039deae52be39b2bb7350b67141b902f

SHA512
243fed0896ac0bd0956905eb66a91ce03f4fb222032244609c6a6ad76b1e2fa6224159cb00ceaab6d23b0b4c6edd8a486749b67a115271ddf6f45fa7d76bb178

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\QuickQ.lnk

Filesize
1KB

MD5
d862a5832bf77f61e0c6c59cb85f1ef8

SHA1
05c6a1fd2240d88088a145101b26ca4ef2bc5eff

SHA256
4bf5b392539e1675e7639d24f1284203851a7734283a3f8ea69a338ef0283f82

SHA512
e541ffc26b509c03e84555d1a643884901df0d0e7de0603320f27d3d89f32a5634a60b1308c2c785eec2c8dafbe03e0510f11b8dce3662b4172b8b1c64eecbda

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\locales\bg.pak.info

Filesize
742KB

MD5
d611503e029dab3c1262127dff2f899e

SHA1
415ccea2e7e47f294366490fde386d74261f8e33

SHA256
d0b585f25524b300bc67a510bb9674558656656d97a145ea13ae43aad3b7b9a6

SHA512
97df2a88fa4414c2d8f66aecefe166c5044db2576efc39c76446446850702d0d9e0221476c435f8ec44b38eafae49912f7c81fefd194c919d87f7178b9fc3f4c

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\notification_helper.exe

Filesize
829KB

MD5
f02412897f9fede5ad9b8426bea4ceb4

SHA1
2867508e60bcd0b1e9333755845377cd921770fa

SHA256
d123e505bf5fda510c2ea066d034b7d5adf5fa4e8fe7e8321ecfe5791a24959b

SHA512
1f546e97cadf91d34e2c39d4fe4a4518c7a43b2bc8222b46dbc37759aefc27d500734c47b481c94e784c6eb5967dd7a4b3a09b88e6b3e32ede13f98f015d9e2f

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\resource\win32\winproc\4\quickq_winproc.exe

Filesize
23KB

MD5
2955a0fac28d3951ffa5738ba07de7ce

SHA1
30633ca29e79bbecb1e7b074dd2f5783f05c556b

SHA256
01b2e339f7205794e3708cebf66db7bb4940e7ae82497244307ff9561a001986

SHA512
f1dc5387b4862091ff912be801dd146d6c3a1f913a56cd3040a0ddbfcbc516c448d78606b47f609a3b05ff808d5a6ac5ef3aab0fa276bee96d0fd5e7e829b129

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\resource\win32\winproc\4\quickq_winproc_64.exe

Filesize
23KB

MD5
07e5da1aebc7f4d96cd8481f227798dd

SHA1
101e92945a762869f26d2dfd242b3e957f6afedb

SHA256
9db5f4b9ddd00abd44decce002f6a23d5efffe00afddeaf84f5a31611ffc95dd

SHA512
a5bc4206b448d4cc68f6d05768af5589e18e7adfa2a89c283778e6268f37d41815686ec0b22f6387b722eef57c13426fef49cbaeb9b53cd8ff28ebe5fca38993

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI92DB.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsProgram.exe

Filesize
28.2MB

MD5
6b656bd1a2e86cbd5be521b905a1e29d

SHA1
632993bc9ada968b7a20da3e17cf50436e4ab602

SHA256
2baa956744ce166969d41fc319cbce0239446466b313dddbab008b5a8c0f517b

SHA512
11979f38ee399484ca3d4a8fb7d9bc22028e6cbccbf1d31c084c8b8465005934b1b4e5b296f5be53cdbb71bb0d7aa62380ee29f2797f5a4399c273a480e46d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA71E.tmp\InstallOptions.dll

Filesize
14KB

MD5
8d5a5529462a9ba1ac068ee0502578c7

SHA1
875e651e302ce0bfc8893f341cf19171fee25ea5

SHA256
e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790

SHA512
101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA71E.tmp\LangDLL.dll

Filesize
5KB

MD5
77ff758c10c66937de6d86c388aa431c

SHA1
14bd5628eaf8a12b55cd38f9560c839cb21ce77a

SHA256
6a033e367714ec0d13fca0589c165bdbf4d1dac459fa7ec7415815223fa3c008

SHA512
319837951be276a179ead69efcd24bd7566061abc7997ea782af50bd4b0d69e5ec1a6e4cdeb2825bafedf87edf03380396b7bcf58682b6a3a824c8dc4b966bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA71E.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA71E.tmp\ioSpecial.ini

Filesize
541B

MD5
ab3400b911a0273389b0da59f56fe2e7

SHA1
5c4837366b998f970ce67ba8fbc2c3a4974113f5

SHA256
da3bcfe6000895a871e6be544c76dfdf28a1bd8f13f5f03e8575afacdeda2492

SHA512
3f1e4daa66f4b6ecdf7e41e6528f742001e59c090eb2d2c4b019dced197bde17cbea13750bf547f9829c69360b16b7d002ff3da4aa62b0606cf383bab8bc7bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA71E.tmp\ioSpecial.ini

Filesize
541B

MD5
770526c8d0cd6b5282077bae0f68eb69

SHA1
ecbd323e2fe3f74b7aff946096517209fb00dae1

SHA256
dc7f188552122980e6aede9d534bde6897f1774b66c9411d9c2e57ac9577a3de

SHA512
f70a38ca849d438257c11602c5cf0fbd990bd13697abb2358ab21e6fec8b44c7cbb84657e062742023f4de747be77276ffecd88516c0b088a4a985bfaada7c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA71E.tmp\ioSpecial.ini

Filesize
718B

MD5
aba245d3e1cfde4d9a8c72630f5e48b1

SHA1
9a7f95ea710b0e18f60cbff482bfd767ab1d3ee4

SHA256
b1fae032602f4c57f22c45e2e332af22339375617f6803ac2c895aab9756ed2a

SHA512
a6fa35d5813df9c5de4d8f68f8bcd7f3397a100406665ff8fc58e6f328c7795b2a0082188d63c95b8cec33f9fe2da9e4304ba9e0e919964b087325b7aa081262

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA71E.tmp\nsExec.dll

Filesize
6KB

MD5
1f49d8af9be9e915d54b2441c4a79adf

SHA1
1ee4f809c693e31f34bc6d8153664a6dc2c3e499

SHA256
b22c8f676dec58be8d25fbad1a37835ffc4029f29aaf79f4dc0337ca73a38782

SHA512
c60827e322e3168a79795ffd4beb0b0039842128255100d6b005d261402d2ff570f3866f441f3d3c063097c71d44bc5ae80d177fa91ef4e46fc8c2d97de27aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA71E.tmp\nsis7z.dll

Filesize
436KB

MD5
d7778720208a94e2049972fb7a1e0637

SHA1
080d607b10f93c839ec3f07faec3548bb78ac4dc

SHA256
98f425f30e42e85f57e039356e30d929e878fdb551e67abfb9f71c31eeb5d44e

SHA512
98493ea271738ed6ba3a02de774deef267bfa3c16f3736f1a1a3856b9fecc07f0ea8670827e7eb4ed05c907e96425a0c762e7010cb55a09302ca3cfb3fe44b2b

Download Submit
C:\Users\Admin\AppData\Roaming\QuickQ\QuickQ 6.0.137.0\install\quickq-setup.msi

Filesize
2.2MB

MD5
4c5cd46f6f60cf9978b2d345d2e33038

SHA1
6c3f9fe30b0d274e272e47fa0883296bf9e33edd

SHA256
95be6ca7488f40c73e8a349dfb1ed6ffab997d9867f748680979ff96955769bd

SHA512
0fb54738a25c67c90eed6acf8d986fc1f68776f81d4577c5fb6edc13313b70e963762cc97b039958c9340efe21ea18247bd40abd7551d79adc54484e838cb131

Download Submit
C:\Windows\Installer\MSI961B.tmp

Filesize
709KB

MD5
89136bfd28a2e1ec6b6d841214e1e670

SHA1
4c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab

SHA256
1a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec

SHA512
22237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812

Download Submit
C:\Windows\Installer\MSIA2A0.tmp

Filesize
419KB

MD5
cac0eaeb267d81cf3fa968ee23a6af9d

SHA1
cf6ae8e44fb4949d5f0b01b110eaba49d39270a2

SHA256
f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774

SHA512
8edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b

Download Submit
memory/4372-13236-0x0000000000400000-0x0000000002041000-memory.dmp

Filesize
28.3MB

Download
memory/4372-162-0x0000000076BA0000-0x0000000076DB5000-memory.dmp

Filesize
2.1MB

Download
memory/4372-13230-0x0000000000400000-0x0000000002041000-memory.dmp

Filesize
28.3MB

Download
memory/4372-13231-0x0000000000400000-0x0000000002041000-memory.dmp

Filesize
28.3MB

Download
memory/4372-6045-0x0000000077450000-0x00000000774CA000-memory.dmp

Filesize
488KB

Download
memory/4372-4036-0x0000000075920000-0x0000000075AC0000-memory.dmp

Filesize
1.6MB

Download
memory/4372-14269-0x0000000000400000-0x0000000002041000-memory.dmp

Filesize
28.3MB

Download
memory/4372-13323-0x0000000000400000-0x0000000002041000-memory.dmp

Filesize
28.3MB

Download
memory/4372-161-0x0000000000400000-0x0000000002041000-memory.dmp

Filesize
28.3MB

Download
memory/4372-13235-0x0000000000400000-0x0000000002041000-memory.dmp

Filesize
28.3MB

Download
memory/4372-14372-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4372-13234-0x0000000000400000-0x0000000002041000-memory.dmp

Filesize
28.3MB

Download
memory/4372-13232-0x0000000000400000-0x0000000002041000-memory.dmp

Filesize
28.3MB

Download
memory/4372-14398-0x0000000000400000-0x0000000002041000-memory.dmp

Filesize
28.3MB

Download