gh0strat | 99220d8972a6f8881424513e1cc11161716f84400913f28493c6256d2d58f69d

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quickq-setup.exe
Size

125.0MB
MD5

0ff6074efc8680a0ec0bb44bca08f191
SHA1

c48972532e99a9a846690bb880e0b91ba202eb90
SHA256

99220d8972a6f8881424513e1cc11161716f84400913f28493c6256d2d58f69d
SHA512

afe4de5817433bd52d64fe7abc8754518be63bd1dbe7ebc631546a2707117901021518b5aeeb5800cc56fd661b390cb48bbf18881fd1883649860dd2dfdb21c9
SSDEEP

3145728:QBCe6GreS1e3aoeAmloP6AxVmsOQq9x/tDkIHLewAgQf/:QULzmUBx3sjB6wRA/

Score

10^/10

gh0strat purplefox discovery rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 3 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/15152-17568-0x0000000000400000-0x0000000001F5D000-memory.dmp	purplefox_rootkit
behavioral1/memory/2108-27441-0x0000000000400000-0x0000000001F5D000-memory.dmp	purplefox_rootkit
behavioral1/memory/10716-27444-0x0000000000400000-0x0000000001F5D000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/15152-17568-0x0000000000400000-0x0000000001F5D000-memory.dmp	family_gh0strat
behavioral1/memory/2108-27441-0x0000000000400000-0x0000000001F5D000-memory.dmp	family_gh0strat
behavioral1/memory/10716-27444-0x0000000000400000-0x0000000001F5D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Executes dropped EXE 6 IoCs

pid	Process
676	MSIEB20.tmp
2888	win32-quickq.exe
1900	MSIEC1C.tmp
2108	WindowsProgram.exe
15152	Skcsk.exe
10716	Skcsk.exe

Loads dropped DLL 22 IoCs

pid	Process
2720	MsiExec.exe
700	MsiExec.exe
700	MsiExec.exe
700	MsiExec.exe
700	MsiExec.exe
2888	win32-quickq.exe
2888	win32-quickq.exe
2888	win32-quickq.exe
2888	win32-quickq.exe
2888	win32-quickq.exe
2888	win32-quickq.exe
2888	win32-quickq.exe
2888	win32-quickq.exe
2888	win32-quickq.exe
2888	win32-quickq.exe
2888	win32-quickq.exe
2888	win32-quickq.exe
2888	win32-quickq.exe
2888	win32-quickq.exe
2888	win32-quickq.exe
2888	win32-quickq.exe
2888	win32-quickq.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	Skcsk.exe
File opened (read-only)	\??\T:	quickq-setup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	Skcsk.exe
File opened (read-only)	\??\V:	Skcsk.exe
File opened (read-only)	\??\Z:	quickq-setup.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	quickq-setup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	Skcsk.exe
File opened (read-only)	\??\X:	Skcsk.exe
File opened (read-only)	\??\N:	quickq-setup.exe
File opened (read-only)	\??\P:	quickq-setup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	Skcsk.exe
File opened (read-only)	\??\Q:	Skcsk.exe
File opened (read-only)	\??\U:	Skcsk.exe
File opened (read-only)	\??\G:	quickq-setup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	Skcsk.exe
File opened (read-only)	\??\Z:	Skcsk.exe
File opened (read-only)	\??\V:	quickq-setup.exe
File opened (read-only)	\??\K:	quickq-setup.exe
File opened (read-only)	\??\S:	quickq-setup.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	Skcsk.exe
File opened (read-only)	\??\O:	Skcsk.exe
File opened (read-only)	\??\R:	Skcsk.exe
File opened (read-only)	\??\J:	quickq-setup.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	quickq-setup.exe
File opened (read-only)	\??\H:	Skcsk.exe
File opened (read-only)	\??\Y:	quickq-setup.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	Skcsk.exe
File opened (read-only)	\??\H:	quickq-setup.exe
File opened (read-only)	\??\X:	quickq-setup.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	quickq-setup.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Skcsk.exe	WindowsProgram.exe
File opened for modification	C:\Windows\SysWOW64\Skcsk.exe	WindowsProgram.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 39 IoCs

pid	Process
2108	WindowsProgram.exe
2108	WindowsProgram.exe
2108	WindowsProgram.exe
15152	Skcsk.exe
15152	Skcsk.exe
2108	WindowsProgram.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIE457.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE4E5.tmp	msiexec.exe
File created	C:\Windows\Installer\f76e3ae.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC1C.tmp	msiexec.exe
File created	C:\Windows\Installer\f76e3ab.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76e3ab.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE3E9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE563.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA72.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB20.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76e3ae.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win32-quickq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEC1C.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsProgram.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quickq-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEB20.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skcsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skcsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
10936	PING.EXE
10764	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Skcsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Skcsk.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
10380	taskkill.exe
3796	taskkill.exe
15192	taskkill.exe
10704	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	Skcsk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	Skcsk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	Skcsk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Skcsk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Skcsk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Skcsk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Skcsk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	Skcsk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	Skcsk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	Skcsk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Skcsk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Skcsk.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c003100000000002559963410204c6f63616c00380008000400efbe2359ab29255996342a000000000200000000020000000000000000000000000000004c006f00630061006c00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 52003100000000002359ab29122041707044617461003c0008000400efbe2359ab292359ab292a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000002359ab291100557365727300600008000400efbeee3a851a2359ab292a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c003100000000002359a42d100041646d696e00380008000400efbe2359ab292359a42d2a00000030000000000004000000000000000000000000000000410064006d0069006e00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 50003100000000002559a7341020517569636b5100003a0008000400efbe255996342559a7342a0000003f6d010000000e00000000000000000000000000000051007500690063006b005100000016000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
10936	PING.EXE

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
264	msiexec.exe
264	msiexec.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe
10716	Skcsk.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	264	msiexec.exe
Token: SeTakeOwnershipPrivilege	264	msiexec.exe
Token: SeSecurityPrivilege	264	msiexec.exe
Token: SeCreateTokenPrivilege	1980	quickq-setup.exe
Token: SeAssignPrimaryTokenPrivilege	1980	quickq-setup.exe
Token: SeLockMemoryPrivilege	1980	quickq-setup.exe
Token: SeIncreaseQuotaPrivilege	1980	quickq-setup.exe
Token: SeMachineAccountPrivilege	1980	quickq-setup.exe
Token: SeTcbPrivilege	1980	quickq-setup.exe
Token: SeSecurityPrivilege	1980	quickq-setup.exe
Token: SeTakeOwnershipPrivilege	1980	quickq-setup.exe
Token: SeLoadDriverPrivilege	1980	quickq-setup.exe
Token: SeSystemProfilePrivilege	1980	quickq-setup.exe
Token: SeSystemtimePrivilege	1980	quickq-setup.exe
Token: SeProfSingleProcessPrivilege	1980	quickq-setup.exe
Token: SeIncBasePriorityPrivilege	1980	quickq-setup.exe
Token: SeCreatePagefilePrivilege	1980	quickq-setup.exe
Token: SeCreatePermanentPrivilege	1980	quickq-setup.exe
Token: SeBackupPrivilege	1980	quickq-setup.exe
Token: SeRestorePrivilege	1980	quickq-setup.exe
Token: SeShutdownPrivilege	1980	quickq-setup.exe
Token: SeDebugPrivilege	1980	quickq-setup.exe
Token: SeAuditPrivilege	1980	quickq-setup.exe
Token: SeSystemEnvironmentPrivilege	1980	quickq-setup.exe
Token: SeChangeNotifyPrivilege	1980	quickq-setup.exe
Token: SeRemoteShutdownPrivilege	1980	quickq-setup.exe
Token: SeUndockPrivilege	1980	quickq-setup.exe
Token: SeSyncAgentPrivilege	1980	quickq-setup.exe
Token: SeEnableDelegationPrivilege	1980	quickq-setup.exe
Token: SeManageVolumePrivilege	1980	quickq-setup.exe
Token: SeImpersonatePrivilege	1980	quickq-setup.exe
Token: SeCreateGlobalPrivilege	1980	quickq-setup.exe
Token: SeCreateTokenPrivilege	1980	quickq-setup.exe
Token: SeAssignPrimaryTokenPrivilege	1980	quickq-setup.exe
Token: SeLockMemoryPrivilege	1980	quickq-setup.exe
Token: SeIncreaseQuotaPrivilege	1980	quickq-setup.exe
Token: SeMachineAccountPrivilege	1980	quickq-setup.exe
Token: SeTcbPrivilege	1980	quickq-setup.exe
Token: SeSecurityPrivilege	1980	quickq-setup.exe
Token: SeTakeOwnershipPrivilege	1980	quickq-setup.exe
Token: SeLoadDriverPrivilege	1980	quickq-setup.exe
Token: SeSystemProfilePrivilege	1980	quickq-setup.exe
Token: SeSystemtimePrivilege	1980	quickq-setup.exe
Token: SeProfSingleProcessPrivilege	1980	quickq-setup.exe
Token: SeIncBasePriorityPrivilege	1980	quickq-setup.exe
Token: SeCreatePagefilePrivilege	1980	quickq-setup.exe
Token: SeCreatePermanentPrivilege	1980	quickq-setup.exe
Token: SeBackupPrivilege	1980	quickq-setup.exe
Token: SeRestorePrivilege	1980	quickq-setup.exe
Token: SeShutdownPrivilege	1980	quickq-setup.exe
Token: SeDebugPrivilege	1980	quickq-setup.exe
Token: SeAuditPrivilege	1980	quickq-setup.exe
Token: SeSystemEnvironmentPrivilege	1980	quickq-setup.exe
Token: SeChangeNotifyPrivilege	1980	quickq-setup.exe
Token: SeRemoteShutdownPrivilege	1980	quickq-setup.exe
Token: SeUndockPrivilege	1980	quickq-setup.exe
Token: SeSyncAgentPrivilege	1980	quickq-setup.exe
Token: SeEnableDelegationPrivilege	1980	quickq-setup.exe
Token: SeManageVolumePrivilege	1980	quickq-setup.exe
Token: SeImpersonatePrivilege	1980	quickq-setup.exe
Token: SeCreateGlobalPrivilege	1980	quickq-setup.exe
Token: SeCreateTokenPrivilege	1980	quickq-setup.exe
Token: SeAssignPrimaryTokenPrivilege	1980	quickq-setup.exe
Token: SeLockMemoryPrivilege	1980	quickq-setup.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1980	quickq-setup.exe
2812	msiexec.exe
2812	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 2720	264	msiexec.exe	32
PID 264 wrote to memory of 2720	264	msiexec.exe	32
PID 264 wrote to memory of 2720	264	msiexec.exe	32
PID 264 wrote to memory of 2720	264	msiexec.exe	32
PID 264 wrote to memory of 2720	264	msiexec.exe	32
PID 264 wrote to memory of 2720	264	msiexec.exe	32
PID 264 wrote to memory of 2720	264	msiexec.exe	32
PID 1980 wrote to memory of 2812	1980	quickq-setup.exe	33
PID 1980 wrote to memory of 2812	1980	quickq-setup.exe	33
PID 1980 wrote to memory of 2812	1980	quickq-setup.exe	33
PID 1980 wrote to memory of 2812	1980	quickq-setup.exe	33
PID 1980 wrote to memory of 2812	1980	quickq-setup.exe	33
PID 1980 wrote to memory of 2812	1980	quickq-setup.exe	33
PID 1980 wrote to memory of 2812	1980	quickq-setup.exe	33
PID 264 wrote to memory of 700	264	msiexec.exe	34
PID 264 wrote to memory of 700	264	msiexec.exe	34
PID 264 wrote to memory of 700	264	msiexec.exe	34
PID 264 wrote to memory of 700	264	msiexec.exe	34
PID 264 wrote to memory of 700	264	msiexec.exe	34
PID 264 wrote to memory of 700	264	msiexec.exe	34
PID 264 wrote to memory of 700	264	msiexec.exe	34
PID 264 wrote to memory of 676	264	msiexec.exe	35
PID 264 wrote to memory of 676	264	msiexec.exe	35
PID 264 wrote to memory of 676	264	msiexec.exe	35
PID 264 wrote to memory of 676	264	msiexec.exe	35
PID 264 wrote to memory of 676	264	msiexec.exe	35
PID 264 wrote to memory of 676	264	msiexec.exe	35
PID 264 wrote to memory of 676	264	msiexec.exe	35
PID 264 wrote to memory of 1900	264	msiexec.exe	37
PID 264 wrote to memory of 1900	264	msiexec.exe	37
PID 264 wrote to memory of 1900	264	msiexec.exe	37
PID 264 wrote to memory of 1900	264	msiexec.exe	37
PID 264 wrote to memory of 1900	264	msiexec.exe	37
PID 264 wrote to memory of 1900	264	msiexec.exe	37
PID 264 wrote to memory of 1900	264	msiexec.exe	37
PID 2888 wrote to memory of 3796	2888	win32-quickq.exe	39
PID 2888 wrote to memory of 3796	2888	win32-quickq.exe	39
PID 2888 wrote to memory of 3796	2888	win32-quickq.exe	39
PID 2888 wrote to memory of 3796	2888	win32-quickq.exe	39
PID 2888 wrote to memory of 15192	2888	win32-quickq.exe	43
PID 2888 wrote to memory of 15192	2888	win32-quickq.exe	43
PID 2888 wrote to memory of 15192	2888	win32-quickq.exe	43
PID 2888 wrote to memory of 15192	2888	win32-quickq.exe	43
PID 15152 wrote to memory of 10716	15152	Skcsk.exe	46
PID 15152 wrote to memory of 10716	15152	Skcsk.exe	46
PID 15152 wrote to memory of 10716	15152	Skcsk.exe	46
PID 15152 wrote to memory of 10716	15152	Skcsk.exe	46
PID 2888 wrote to memory of 10704	2888	win32-quickq.exe	45
PID 2888 wrote to memory of 10704	2888	win32-quickq.exe	45
PID 2888 wrote to memory of 10704	2888	win32-quickq.exe	45
PID 2888 wrote to memory of 10704	2888	win32-quickq.exe	45
PID 2108 wrote to memory of 10764	2108	WindowsProgram.exe	47
PID 2108 wrote to memory of 10764	2108	WindowsProgram.exe	47
PID 2108 wrote to memory of 10764	2108	WindowsProgram.exe	47
PID 2108 wrote to memory of 10764	2108	WindowsProgram.exe	47
PID 10764 wrote to memory of 10936	10764	cmd.exe	50
PID 10764 wrote to memory of 10936	10764	cmd.exe	50
PID 10764 wrote to memory of 10936	10764	cmd.exe	50
PID 10764 wrote to memory of 10936	10764	cmd.exe	50
PID 2888 wrote to memory of 10380	2888	win32-quickq.exe	51
PID 2888 wrote to memory of 10380	2888	win32-quickq.exe	51
PID 2888 wrote to memory of 10380	2888	win32-quickq.exe	51
PID 2888 wrote to memory of 10380	2888	win32-quickq.exe	51
PID 2888 wrote to memory of 7480	2888	win32-quickq.exe	53

C:\Users\Admin\AppData\Local\Temp\quickq-setup.exe
"C:\Users\Admin\AppData\Local\Temp\quickq-setup.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\QuickQ\QuickQ 6.0.137.0\install\quickq-setup.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\quickq-setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1725258748 " AI_EUIMSI=""
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:2812

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:264
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D03CCEC9A89FC2C123DE00AAFCF3F14D C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2720
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 85C0A4A0298515DF17D7C44EE9A750D0
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:700
- C:\Windows\Installer\MSIEB20.tmp
  "C:\Windows\Installer\MSIEB20.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\win32-quickq.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:676
- C:\Windows\Installer\MSIEC1C.tmp
  "C:\Windows\Installer\MSIEC1C.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\WindowsProgram.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1900

C:\Users\Admin\AppData\Local\Temp\win32-quickq.exe
"C:\Users\Admin\AppData\Local\Temp\win32-quickq.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -F -IM quickq.exe -t
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3796
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -F -IM quickq-browser.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:15192
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -F -IM typeperf.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:10704
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -F -IM quickqservice-*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:10380
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c copy "C:\Users\Admin\AppData\Local\QuickQ\User Data\Default\cache.dat" "C:\Users\Admin\AppData\Local\QuickQ\cachebak.dat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c copy "C:\Users\Admin\AppData\Local\QuickQ\User Data\Default\cache6.dat" "C:\Users\Admin\AppData\Local\QuickQ\cachebak6.dat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c copy "C:\Users\Admin\AppData\Local\QuickQ\cachebak.dat" "C:\Users\Admin\AppData\Local\QuickQ\User Data\Default\cache.dat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3888
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c copy "C:\Users\Admin\AppData\Local\QuickQ\cachebak6.dat" "C:\Users\Admin\AppData\Local\QuickQ\User Data\Default\cache6.dat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4940
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe /select,"C:\Users\Admin\AppData\Local\QuickQ\QuickQ.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8604

C:\Users\Admin\AppData\Local\Temp\WindowsProgram.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsProgram.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\WINDOW~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:10764
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:10936

C:\Windows\SysWOW64\Skcsk.exe
C:\Windows\SysWOW64\Skcsk.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:15152
- C:\Windows\SysWOW64\Skcsk.exe
  C:\Windows\SysWOW64\Skcsk.exe -acsi
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:10716

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:8700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76e3af.rbs

Filesize
421KB

MD5
063f3023082fb873318d7b7f4901e374

SHA1
319fe7df8abd3beb84863f529026d9e3b367e20a

SHA256
b93196ce74ef8d823c6b6ea7f34bee0320fd32a7a9af319b9a82b5d7b106ba9b

SHA512
1d33a944bd2dd9650d5c02eb115c92b9c2aa1d4574b197cd1f3d273a5d04260335971eb320639e8dab598f7fb345f31a7c265079e90c8922e97a1fa3ac3f8202

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\QuickQ.lnk

Filesize
989B

MD5
67211009833a7ec976dd01088fdff427

SHA1
c054b69b629295e65486e12c5a35a49d131f1970

SHA256
9125eb6ffb82420fc3cc4c8efbfc479a8af0cd155305a01da3fc929ebc9a9ac5

SHA512
a8fcc5e5cd7d62913e337700f96de7e56d64a77335887fbfcfba3ad907f31d1ed6b1197b12a37056da749f7d49360993e5b9836d6845fd46058e25cf76f880c4

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\app.dat

Filesize
866KB

MD5
5f1ea0a8b2f864cf2764297e83bb8e2d

SHA1
91397061d553c1b2eebbbb28b3dbb4ab9402e16b

SHA256
0f8a2d3312c54daed903fb9a4bca2d5cb47cbffd38257b7fab67d8cc51f405c3

SHA512
a9c75d4404d9d47e4acb7273b0d16bf7642e2facd3b5281b60678a95f48603d0587bf749921ed0942313a90ff6d5e1fda05263691677f908f9d355bfb15126ac

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\const.bin

Filesize
43KB

MD5
5b92af71a5ff71c8c6be2d9bdd42d020

SHA1
a9e2ba66e24e1aa15fdff18bcb0e4892fb0c25eb

SHA256
0b3915a4ef7feb7ee6eccc9eb23393b679c37e38c06f5322b443b92360fa1506

SHA512
56c058d95dc4d1a1a7579261419579d32eb9b8ec87031cfa3e6d966f89bcac4a819c755221acbbe883221ba07f8a76faf9756002cd1d57155d92768471ddaccf

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\d3dcompiler_47.dll

Filesize
3.9MB

MD5
ab3be0c427c6e405fad496db1545bd61

SHA1
76012f31db8618624bc8b563698b2669365e49cb

SHA256
827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6

SHA512
d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\env

Filesize
512B

MD5
01c8a28acb2605e98d94ca2c11975e21

SHA1
4272dc4935ca7f6be6a84eb86d8407cdde3d869d

SHA256
fa1a1c5ad6df1d248a2c5f935cb0aab1ef467d567f4e9be2394218f6aa2181b9

SHA512
258e8912cdc128e38a90c347b18192d16128a4c51951ca3fcf63d998f77104d7ff7a6e0007d8e9d8612cd60d177e21da3e7f720d37afa0c075497e1e87d7f1bd

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\ffmpeg.dll

Filesize
1.7MB

MD5
9568836102a8848029fcb06cf6af3390

SHA1
9e3293110cef748b973fa426e5f1873f1d14382a

SHA256
66c1df7dbccc7e4576897c2ccecaaef79f2584c57a1a6e5a61501dc8b2da9eef

SHA512
af02b935f25a02eb22e2751748d036bd3bd34b8881589f06e600757bd95fbcf7ae3b9dfcd5d555c90e76e1ec591687a64f9aa9c8ee6585f3447cd70dad813ecd

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\icudtl.dat

Filesize
9.9MB

MD5
c6ae43f9d596f3dd0d86fb3e62a5b5de

SHA1
198b3b4abc0f128398d25c66455c531a7af34a6d

SHA256
00f755664926fda5fda14b87af41097f6ea4b20154f90be65d73717580db26ee

SHA512
3c43e2dcdf037726a94319a147a8bc41a4c0fd66e6b18b3c7c95449912bf875382dde5ec0525dcad6a52e8820b0859caf8fa73cb287283334ec8d06eb3227ec4

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\index.binary.bin

Filesize
5KB

MD5
2ad1a6f426b68e71cfd8359f1aa771e5

SHA1
3bf2004e91d43ba1741608ed2417c873f9c94f7e

SHA256
4b1109301bece6167bfcabbd98ee4683f8936546d2ab8ae2a5488d4dc28fc786

SHA512
32c8ed537d34bb3b892eae71fde9f78a8d02367dd8abac655e661756a051bf5e6212c3fd24ae292c9fba0ef7fc02f5ce336126831d9ec465bd8ccb38257c25d8

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\index.css

Filesize
125KB

MD5
fd8a67d4a0bd7163688b3c82367e96f5

SHA1
6fa9cef37a37bf098a258b4cc7630d75536f9666

SHA256
9ddb56c652f1ba61e15dcec8bffd70e6c4ebf4660406b80d97774756be84ccd4

SHA512
e8481046e3a3259d6a88f96fcb5fd61e4e00c4a655d59e667f762bb2cdad98b16be61780c4cd1b87adaeef6f4ae8a993caaefc6351ee14a39d79a646ba4dd57d

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\index.js

Filesize
101B

MD5
44a7318bc95f8550fa2b73f4b7ccc303

SHA1
d7efadb17b6a57a7d6cd5b52b89f85d3f0216007

SHA256
146a1605c9400173a46b7bcad1d64fa5494a326f811698f6880244384cc1ecca

SHA512
d02bcf803c985e2fdb6267dfcc6b5bfd346cd07a85c1a852963ecdfbde8ec5e4177c7463af5b7efaaf772ce41ccca9727201a371034f6df5df2c030f5fb9680d

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\libEGL.dll

Filesize
347KB

MD5
415429eb5286a8df4a4249467bd27c41

SHA1
eed82774e2c66d46457e1cf8e2a2a6bf1020ce2a

SHA256
f3e341673ccf367562c110815a1d90026eaee2b893d137c250a179949f8242e4

SHA512
fb2657afa6428ce70011c463b4beca71936ece865780b66d43dcbc0ab4d07920627ff5bdfb00b1ce5b020b3a20fc14734a57f19d0e6cf2d919705f9b320a6c8e

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\libGLESv2.dll

Filesize
5.4MB

MD5
3559e960f18fc7b0bd06f3234e5cd4d6

SHA1
2ab574f71a3a68ff932b41b13dbec7d486568a4e

SHA256
539e407e9551af55672d79ad724e882878df9fbfb2e8e7fa877abbf2cbcf4cff

SHA512
295cabd0827e0bdfad7dd9c292f13782ede6bad5c48d3bb6567f91297754202a123a8e677b9a52d46a53a01c0666a91e82ee0e4c31be11319a1062179a79e451

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\locales\bg.pak.info

Filesize
742KB

MD5
d611503e029dab3c1262127dff2f899e

SHA1
415ccea2e7e47f294366490fde386d74261f8e33

SHA256
d0b585f25524b300bc67a510bb9674558656656d97a145ea13ae43aad3b7b9a6

SHA512
97df2a88fa4414c2d8f66aecefe166c5044db2576efc39c76446446850702d0d9e0221476c435f8ec44b38eafae49912f7c81fefd194c919d87f7178b9fc3f4c

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\main.js

Filesize
6KB

MD5
a614b704ec66d52145d45f108e97fe3b

SHA1
1e3d7deee5a2c965dc6e91f08ceb4d5c6e9055c1

SHA256
caa2eb303adba236e36513635f27dcb925df3faa1bb7aeed06372cb355432368

SHA512
83aec0789eb15e62d2692e5707e4041806a833bf0ad9f9078e656522b4345ce6907a8339b43109fe0b2da4cd7282be5338720086cd39413ea7a97393f6cfa625

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\node.dll

Filesize
13.7MB

MD5
b36092c862b25f641737657569916abf

SHA1
a248f59edf36625c0cde8fed2372f32af159279d

SHA256
24c883f5c61aeb71e6709a48d96c478214d92d0ba8acb4a59527da191bf1053d

SHA512
29508192191f1996997f13ec921b5205365fedb317ac21ddb59814c0a8b9da65e6a34a5d54a7dfbc9f1b7d53419a0e3ca0ef8db631f06d49ffae260da3da4e5a

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\notification_helper.exe

Filesize
829KB

MD5
f02412897f9fede5ad9b8426bea4ceb4

SHA1
2867508e60bcd0b1e9333755845377cd921770fa

SHA256
d123e505bf5fda510c2ea066d034b7d5adf5fa4e8fe7e8321ecfe5791a24959b

SHA512
1f546e97cadf91d34e2c39d4fe4a4518c7a43b2bc8222b46dbc37759aefc27d500734c47b481c94e784c6eb5967dd7a4b3a09b88e6b3e32ede13f98f015d9e2f

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\nw_100_percent.pak

Filesize
576KB

MD5
7098fa98cefb320e87c7eae3727570dc

SHA1
21e130c4193ab011cf9104ffa6e52d33f31145ea

SHA256
d9c19d2dda16481f711e15d896e7e22ff006eb09791d067f4b661951ac373e82

SHA512
44ae44d3318e4e5a584a0bf6f38111cf52711e71f026d89c88281f31b0a7a1ef0e91f80460e6b69d0c5e3bf10cb5e603c3dcf7c3b3ba23376d00414c0b162318

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\nw_200_percent.pak

Filesize
854KB

MD5
8f8b2b9e971ce6ce4da39a98475f9181

SHA1
310b8ee9226ca8668d89355f83f004af53ed60f0

SHA256
99515b75ba633470061d0d7b7a09daad3147ce69f8bbc524e6717bb4887633d5

SHA512
abccc184d9d436aa86a7ce9922ab43854a1855fdabac230562c112811fce31f067c8860000bc45836c4c03042438a52689453496c16b90e449b9d5a2360bbb88

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\nw_elf.dll

Filesize
805KB

MD5
424830903511a6f273f506f7b55ac03d

SHA1
f4116b24bec44cc5ad0a71024fb3fc73ddd1b1d1

SHA256
e6b43a7242b6197262e479ce2fbb1c58f1a9a45b2b15bc9951d35eb612788734

SHA512
728d19dbca6f0aec814f45580bfb78c8ded3992e645763917ffdccc97e9bf622495b782882420d9001055aa7e463f46a76476092eb122620ff4c869a09104202

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\package.json

Filesize
766B

MD5
4c3931d9351b5cd689b39f538d4d063d

SHA1
81baa100915719654be0f39882240e012aedef0a

SHA256
4808af41260a3852c71f89ef6880f28bb4d98cd5cebbffb96f2347e6583e0a4c

SHA512
fff5fad17fec61a4d36c58036a4c7674d2ce4ff5fcc7e86c90ff662befd4c90e24466158f1827e2e2471f147152e26b0a96a806dc9ed4b4f1a59aa67a7bb7711

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\resource\win32\winproc\4\quickq_winproc.exe

Filesize
23KB

MD5
2955a0fac28d3951ffa5738ba07de7ce

SHA1
30633ca29e79bbecb1e7b074dd2f5783f05c556b

SHA256
01b2e339f7205794e3708cebf66db7bb4940e7ae82497244307ff9561a001986

SHA512
f1dc5387b4862091ff912be801dd146d6c3a1f913a56cd3040a0ddbfcbc516c448d78606b47f609a3b05ff808d5a6ac5ef3aab0fa276bee96d0fd5e7e829b129

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\resource\win32\winproc\4\quickq_winproc_64.exe

Filesize
23KB

MD5
07e5da1aebc7f4d96cd8481f227798dd

SHA1
101e92945a762869f26d2dfd242b3e957f6afedb

SHA256
9db5f4b9ddd00abd44decce002f6a23d5efffe00afddeaf84f5a31611ffc95dd

SHA512
a5bc4206b448d4cc68f6d05768af5589e18e7adfa2a89c283778e6268f37d41815686ec0b22f6387b722eef57c13426fef49cbaeb9b53cd8ff28ebe5fca38993

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE225.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsProgram.exe

Filesize
27.4MB

MD5
68afd62d13c6e7eef178dbd802f4346b

SHA1
563b6732f4ef8d48057876edb389877495614c11

SHA256
b1863a43a5f1688b31501200fa4adaeea3b25608e29dad06865888c12a3349a4

SHA512
04960cae9dad7835b481e5086b01befd0ee7bf3042d1dde7220c5f446364fcbe0343b09010509be2a4bccb4cdda733aa6163dfed1c54bc1a7ab7a74b12c27b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstED0E.tmp\ioSpecial.ini

Filesize
541B

MD5
f84119a1a049aec87d1d6300c3aa726e

SHA1
5a39c360d4d08d1fbe1eb7432934a8c29df43bce

SHA256
b6ec71c821b5fedc95ea5ed3394c6a506d86ff505ee54baa1a41547ab1bbb976

SHA512
4a3e8b8c5364f436cf3648b3c5037768059793c7ed7a5ed8321470a83ccd54f025446727ef8f386f1ac1bf20c08f3e83fa257306ad953ccfb23d939334082054

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstED0E.tmp\ioSpecial.ini

Filesize
679B

MD5
f3d22a1f935af106565c0feba25aadd0

SHA1
5f3775b4987b1a4661bf0ebaaa1aee5675a9dbf6

SHA256
73b09a549a0e1e3343bb8416bc64effc19a06d708f37f418563c7ce89c18b27a

SHA512
00b96d2fb9caa9095097299c5c1466847bd58649524fb02948cb937732cf00963e2302da3a6faf0257f5d37a57c247c49759b9fb7313f2ce9c83ca4a0f3d11c3

Download Submit
C:\Users\Admin\AppData\Roaming\QuickQ\QuickQ 6.0.137.0\install\quickq-setup.msi

Filesize
2.2MB

MD5
89b5da70e48ed6f8e6547e204ee76988

SHA1
4ced51de86ed3f32d9d16acd4e3fe0108f7296ee

SHA256
e65e3fb9233dfd6cfc7926da5f292ae7e0e9922fbfe8d38ade9168c3a8f72b51

SHA512
beb3ed20a9ff764dbba325c48f87fee0d7e277a8b4502f63860081293efe7de42b54513ba985eb318fa25d0125f0f2fd7453213b13762f2b5b687d2fd458cde0

Download Submit
C:\Windows\Installer\MSIE563.tmp

Filesize
709KB

MD5
89136bfd28a2e1ec6b6d841214e1e670

SHA1
4c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab

SHA256
1a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec

SHA512
22237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812

Download Submit
C:\Windows\Installer\MSIEB20.tmp

Filesize
419KB

MD5
cac0eaeb267d81cf3fa968ee23a6af9d

SHA1
cf6ae8e44fb4949d5f0b01b110eaba49d39270a2

SHA256
f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774

SHA512
8edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b

Download Submit
\Users\Admin\AppData\Local\QuickQ\QuickQ.exe

Filesize
2.0MB

MD5
ab0e135992a4c0676e8506f2847d5275

SHA1
44b8201033afeddab58fea80f1f662b5914434f2

SHA256
00e28fb333fdd952138c2586ab7d698a039deae52be39b2bb7350b67141b902f

SHA512
243fed0896ac0bd0956905eb66a91ce03f4fb222032244609c6a6ad76b1e2fa6224159cb00ceaab6d23b0b4c6edd8a486749b67a115271ddf6f45fa7d76bb178

Download Submit
\Users\Admin\AppData\Local\Temp\nstED0E.tmp\InstallOptions.dll

Filesize
14KB

MD5
8d5a5529462a9ba1ac068ee0502578c7

SHA1
875e651e302ce0bfc8893f341cf19171fee25ea5

SHA256
e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790

SHA512
101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462

Download Submit
\Users\Admin\AppData\Local\Temp\nstED0E.tmp\LangDLL.dll

Filesize
5KB

MD5
77ff758c10c66937de6d86c388aa431c

SHA1
14bd5628eaf8a12b55cd38f9560c839cb21ce77a

SHA256
6a033e367714ec0d13fca0589c165bdbf4d1dac459fa7ec7415815223fa3c008

SHA512
319837951be276a179ead69efcd24bd7566061abc7997ea782af50bd4b0d69e5ec1a6e4cdeb2825bafedf87edf03380396b7bcf58682b6a3a824c8dc4b966bda

Download Submit
\Users\Admin\AppData\Local\Temp\nstED0E.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
\Users\Admin\AppData\Local\Temp\nstED0E.tmp\nsExec.dll

Filesize
6KB

MD5
1f49d8af9be9e915d54b2441c4a79adf

SHA1
1ee4f809c693e31f34bc6d8153664a6dc2c3e499

SHA256
b22c8f676dec58be8d25fbad1a37835ffc4029f29aaf79f4dc0337ca73a38782

SHA512
c60827e322e3168a79795ffd4beb0b0039842128255100d6b005d261402d2ff570f3866f441f3d3c063097c71d44bc5ae80d177fa91ef4e46fc8c2d97de27aa4

Download Submit
\Users\Admin\AppData\Local\Temp\nstED0E.tmp\nsis7z.dll

Filesize
436KB

MD5
d7778720208a94e2049972fb7a1e0637

SHA1
080d607b10f93c839ec3f07faec3548bb78ac4dc

SHA256
98f425f30e42e85f57e039356e30d929e878fdb551e67abfb9f71c31eeb5d44e

SHA512
98493ea271738ed6ba3a02de774deef267bfa3c16f3736f1a1a3856b9fecc07f0ea8670827e7eb4ed05c907e96425a0c762e7010cb55a09302ca3cfb3fe44b2b

Download Submit
memory/676-50-0x0000000000190000-0x0000000000192000-memory.dmp

Filesize
8KB

Download
memory/1900-57-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/1980-0-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1980-8843-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2108-1011-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-961-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-981-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-975-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-967-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-960-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-987-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-992-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-27441-0x0000000000400000-0x0000000001F5D000-memory.dmp

Filesize
27.4MB

Download
memory/2108-146-0x0000000000400000-0x0000000001F5D000-memory.dmp

Filesize
27.4MB

Download
memory/2108-150-0x0000000076120000-0x0000000076167000-memory.dmp

Filesize
284KB

Download
memory/2108-993-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-997-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-999-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-1001-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-1003-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-1005-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-1007-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-1009-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-1015-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-1017-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-1019-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-985-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-979-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-977-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-971-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-969-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-965-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-983-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-1013-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-995-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-989-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-973-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/2108-963-0x0000000003D90000-0x0000000003EA1000-memory.dmp

Filesize
1.1MB

Download
memory/10716-17569-0x0000000000400000-0x0000000001F5D000-memory.dmp

Filesize
27.4MB

Download
memory/10716-27444-0x0000000000400000-0x0000000001F5D000-memory.dmp

Filesize
27.4MB

Download
memory/15152-17568-0x0000000000400000-0x0000000001F5D000-memory.dmp

Filesize
27.4MB

Download
memory/15152-8862-0x0000000000400000-0x0000000001F5D000-memory.dmp

Filesize
27.4MB

Download